On May 25, 2011, the US Securities and Exchange Commission (the “SEC”), in a 3 to 2 vote along party lines, adopted rules implementing Section 922 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act” or the “Act”), which requires the SEC to establish a program to pay awards to eligible whistleblowers reporting federal securities law violations. The rules were initially proposed by the SEC on November 3, 2010, and were subject to significant comment—the SEC received over 240 comment letters and approximately 1,300 form letters. Under the final rules, which will be administered by the newly created Office of the Whistleblower, persons who voluntarily provide original information to the SEC about potential violations of federal securities law that leads to successful enforcement actions in which monetary sanctions exceed US$1 million, are entitled to an award of between 10 and 30 percent of all such sanctions collected.

The final rules are largely consistent with those originally proposed. Most changes refine and clarify the original proposal. In an effort to keep the lure of an award from undermining companies’ compliance programs, the most significant changes to the final rules seek to encourage whistleblowers to report internally before turning to the SEC. In particular, the final rules (i) extend from 90 to 120 days the period whistleblowers have to submit information to the SEC in order to remain eligible for an award after having reported information internally, (ii) clarify that voluntary internal reporting can increase the amount of an award, and (iii) allow employees who report internally to receive awards if their company subsequently discloses to the SEC the information reported by the employee.

Despite the changes described above, the final rules fall short of requiring mandatory internal reporting. As a result, the final rules still have the potential to undermine corporations’ efforts to monitor their own compliance with applicable laws and regulations, investigate potential instances of non-compliance, and take appropriate remedial measures to protect stockholders from the consequences of ongoing non-compliance or other malfeasance.

This Client Alert summarizes key aspects of the final whistleblower rules, noting differences with the originally proposed rules, and outlining certain practical considerations for public companies.

When Will the New Provisions Be Effective?

The final rules will become effective 60 days after publication in the Federal Register, but the statutory provisions of Section 922 of the Dodd-Frank Act apply to any original information provided to the SEC after July 21, 2010. Potential whistleblowers are already entitled to the general rights provided by the Act’s whistleblower provisions and are taking advantage of the new program, as the number and quality of tips received by the SEC has reportedly increased since the enactment of the Dodd-Frank Act.1  

Whistleblower Eligibility Requirements

A whistleblower is an individual who provides the SEC with information relating to a possible violation of the US federal securities laws that has occurred, is ongoing or is about to occur. In order to be eligible for an award, a whistleblower must (i) voluntarily provide the SEC (ii) with original information (iii) that leads to the successful enforcement by the SEC of a federal court or administrative action, (iv) in which monetary sanctions totaling more than US$1 million are obtained. Each of these four requirements is discussed in more detail below.  

Voluntary Submission Requirement

Whistleblowers are eligible for awards only when they “voluntarily” provide original information to the SEC. This covers situations where an individual comes forward before his or her representative is subject to a request, inquiry or demand by any governmental authority or self-regulatory organization, including the SEC and the Public Company Accounting Oversight Board (PCAOB). Under the proposed rules, a submission was not considered “voluntary” if made by an employee after his or her employer had already received an inquiry on the matter; however, the final rules contain no such limitation. Submissions will not be considered “voluntary” if made by an individual who has a pre-existing legal duty to report securities violations to the SEC (but not to some other agency) or has a pre-existing contractual duty to report securities violations to the SEC or certain enumerated agencies (i.e., pursuant to a cooperation agreement). The final rules establish mandatory procedures for an individual to mail, fax or electrically submit, under penalty of perjury, information related to a possible securities law violation. Such submissions may be made anonymously as long as an attorney can certify to the would-be whistleblower’s identity.  

Original Information Requirement

Information is “original” if it is derived from a whistleblower’s independent knowledge or analysis, not already known to the SEC, and not exclusively derived from public sources. Independent knowledge does not require first-hand knowledge—information gained from experience, communications and observations in the whistleblower’s business or social interactions qualifies.

Although the definition of original information is broad, information is not considered “original” when it falls into the following categories:

  1. information that is subject to attorney-client privilege (whether obtained by outside or in-house counsel) unless disclosure of the information would otherwise be permitted by an attorney under the SEC’s rules implementing Section 307 of the Sarbanes-Oxley Act (“SOX”),2 applicable state attorney conduct rules or otherwise;
  2. information learned by directors or officers from another person or in connection with the company’s internal procedures to identify possible violations of law;
  3. information learned by employees whose responsibilities relate to compliance or internal audit or information learned by external employees engaged for similar purposes; or
  4. information learned by an employee of an accounting firm performing an engagement required under federal securities laws (i.e., an annual audit or quarterly review of financial statements).

Notably, however, in contrast to the proposed rules, under the final rules, an individual in possession of information in classes (ii) through (iv) above can become eligible for whistleblower awards when:

  1. the individual reasonably believes disclosure may prevent substantial injury to the financial interests of investors;
  2. the individual reasonably believes the company on which they would report is engaging in conduct that will impede an investigation; or
  3. at least 120 days have elapsed since the individual reported the information to the company’s audit committee or appropriate officer, or if it was clear to the individual that such committee or officer was already aware of the information.

While Chairman Schapiro explained these changes were made because the proposed rules may have “sought to exclude too many important, potential whistleblowers,” Commissioner Paredes voiced concerns that “these exceptions will swallow the general rule that compliance and internal audit personnel are not eligible to receive bounties.”

Successful Enforcement by the SEC Requirement

Information is considered to have led to a successful enforcement action when a whistleblower:

  1. provided information that was “sufficiently specific, credible and timely” to lead to the opening or reopening of an investigation or caused the SEC to inquire regarding different conduct as part of an existing investigation;
  2. provided information about conduct already under investigation that “significantly contributed” to the government prevailing; or
  3. submitted a complaint through his or her internal reporting mechanism, which prompted the company to conduct an internal investigation and ultimately disclose information to the SEC that is covered by (i) or (ii).

The third situation was not part of the proposed rules and is intended to incentivize whistleblowers to avail themselves of their company’s internal compliance program. Chairman Schapiro noted that this addition “could create an opportunity for a whistleblower to obtain an award through internal reporting where the whistleblower might not otherwise have qualified for an award because the information was not sufficiently specific and credible.” To be eligible for an award in this manner, the individual must still report the same information to the SEC within 120 days of reporting it internally.

Sanctions in Excess of US$1 Million

The US$1 million requirement will be met if the SEC obtains monetary sanctions in that amount from more than one action based on the same information. In addition, subject to the SEC obtaining monetary sanctions in excess of the US$1 million amount, the SEC will aggregate amounts obtained in “related actions,” which are federal or state criminal proceedings or certain regulatory and self-regulatory proceedings based on the same original information that enabled the successful SEC enforcement. To prevent wrongdoers from benefitting by blowing the whistle on themselves, the amount on which awards are based will exclude any sanctions arising from the whistleblower’s own misconduct.

Determination of the Amount of an Award

As mentioned above, the SEC will grant an eligible whistleblower a discretionary award of between 10 and 30 percent of the monetary sanctions recovered in an SEC action or related action. Under the proposed rules, the SEC would make a fact-specific determination of the amount of an award based on four general criteria. While fact-specific inquiries remain at the heart of determining the amount of the award, the final rules offer more guidance to the SEC by enumerating specific factors that may either increase or decrease the whistleblower’s award percentage, rather than only providing general criteria to be considered.

The following factors may increase a whistleblower’s award percentage:  

  1. The significance of the information provided by the whistleblower to the success of the action.
  2. The degree of assistance provided by the whistleblower in the action.
  3. The SEC’s programmatic interest in deterring securities laws violations by making awards to whistleblowers who provide information that leads to successful enforcement actions.
  4. Whether, and the extent to which, the whistleblower participated in internal compliance systems.  

The following factors may decrease a whistleblower’s award percentage:  

  1. The whistleblower’s culpability or involvement in misconduct related to the action.
  2. Whether the whistleblower unreasonably delayed reporting the securities laws violations.
  3. Whether the whistleblower undermined the integrity of internal reporting systems.  

Within each of these factors, the SEC lists further guidelines for consideration. However, the final rules neither specify the relative weight of the factors nor the extent to which they will change an award percentage.

What Should Public Companies Do Next?

In light of the increased protections afforded to whistleblowers under the Dodd-Frank Act whistleblower program, companies should reexamine and heighten the visibility of their internal compliance programs, and position themselves to respond effectively and efficiently to internal reports of potential wrongdoing. The following are steps companies should consider in preparing for the new whistleblower regime:

  • Effective Internal Reporting Mechanisms. Companies should evaluate, update and educate their employees about their internal compliance programs to ensure they provide effective reporting mechanisms. For example, a hotline program permitting employees, or even relevant third parties, to provide information anonymously and in real time promotes efficient reporting and signals a commitment to compliance and good corporate citizenship. Companies should further ensure that any reports received through internal mechanisms remain confidential and, where appropriate, lead to prompt investigation and appropriate disciplinary action.
  • Internal Reporting Incentives. Some companies have reportedly considered whether revising their compliance programs to provide for monetary awards or similar incentives may be appropriate to encourage employees to first report internally. Such awards are likely to be insignificant compared to the prospect of at least US$100,000 potentially recoverable under the SEC’s bounty program. Companies whose programs incentivize internal reporting should be careful not to create incentives for false or overstated allegations.
  • Training Programs. Managers and human resources personnel should be trained to recognize and correctly handle reports of any improper conduct. Employees should be made aware of internal reporting mechanisms and must clearly understand the purposes for which such mechanisms are set up. Regular training of all employees, including management, regarding the scope of the federal securities laws may reduce the likelihood of employees reporting unfounded or mistaken claims to the SEC in the hopes of receiving a financial award.
  • Anti-Retaliation Policies. The Dodd-Frank Act provides for substantial sanctions for employer retaliation. The final rules clarify that as long as an employee “possess[es] a reasonable belief” that a possible securities law violation is ongoing, has occurred or is about to occur, anti-retaliation protection applies—neither an actual violation of the securities laws nor a successful enforcement action is a prerequisite. In an SEC retaliation investigation, the burden is on the employer to justify its actions. Therefore, companies should develop comprehensive anti-retaliation policies that provide strong protections for employees who use internal reporting mechanisms. This should encourage employees to come forward internally and may help identify and address potential issues prior to commencement of any costly and burdensome SEC investigation.
  • Procedures to Address Reports to the SEC. Companies should develop formal procedures for senior managers to rapidly respond to the SEC in the event of a whistleblower complaint. Such procedures should outline specific steps to be taken when faced with an SEC inquiry and provide for independent internal investigations following external disclosure by a whistleblower.
  • More Thorough Self-Reporting. In many corporate investigations, it can be difficult to determine when actual wrongdoing has been found such that it is time to self-report. The 120-day reporting period contained in the final rules further complicates this determination and will likely encourage many companies to self-report as comprehensively as possible even before an internal investigation is complete. Companies will also wish to be as comprehensive as possible when self-reporting to avoid missing any issues that may have already been reported to the SEC by a whistleblower and avoid creating an impression of inadequate or partial self-reporting.
  • Tighten the Information Flow. Because the final rules do not preclude employees from bringing whistleblower claims on matters in relation to which their employer has received an inquiry, companies will need to closely monitor the transfer of information so that employees do not use information available to them and preempt the internal compliance system by contacting the SEC directly.