I. Introduction

On October 1, 2013, the Securities and Exchange Commission (“SEC” or “the Commission”) announced its third—and largest—award under the whistleblower bounty program created as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, § 922, 124 Stat. 1376, 1841 (2010) (“Dodd-Frank” or “the Act”).1 This award comes roughly four months after the SEC announced its second award, which went to three claimants who had exposed a “sham hedge fund,”2 and a little over a year after its first award, which went to a claimant who stopped a multi-million dollar fraud.3 As with the claimants for the first two awards, Dodd-Frank confidentiality provisions prevent the disclosure of the identity of the award recipient.

II. Analysis of the Award

The SEC’s $14 million award to a whistleblower “whose information led to an SEC enforcement action that recovered substantial investor funds” is by far its largest to date.4 Beyond the current dollar amount of the award—the Order Determining Whistleblower Award Claim makes clear that the “expected dollar amount of the [Redacted] award . . . will exceed $14 million in light of the monetary sanctions already collected”—the SEC released no details regarding the Covered Action associated with the award, in deference to the wishes of the claimant to remain anonymous.

Nevertheless, it is possible to glean at least one insight about the Covered Action from the size of the whistleblower award. Although the Order does not state the percentage of the total sanctions that the award represents, under Rule 21F-5(b), 17 C.F.R. § 240.21F-5(b), the amount of a whistleblower award “will be at least 10 percent and no more than 30 percent of the monetary sanctions that the Commission and the other authorities are able to collect.” Because the SEC has made clear that the award will be greater than $14 million, it is possible to narrow down the Covered Action to those cases involving sanctions of more than approximately $47 million on the low end ($14 million is roughly 30% of $47 million) to around $140 million on the high end ($14 million is 10% of $140 million). However, given that the SEC has not announced the award percentage and the total award remains uncertain, it is possible the Covered Action included monetary sanctions exceeding $140 million.

III. Future Awards

Commentators are calling the SEC’s latest award a “game changer”5 and are predicting that it is simply the “tip of the iceberg”6 of many more major awards to come.7 In a statement accompanying the Press Release, SEC Chair Mary Jo White said that “[w]e hope an award like this encourages more individuals with information to come forward.”8 As the head of the Office of the Whistleblower in the SEC’s Division of Enforcement, Sean McKessy, said, in connection with the announcement of the second award, “We are likely to see more awards at a faster pace now that the program has been up and running and the tips we have gotten are leading to successful cases.”9 Given that SEC investigations often take two to four years and that the Office of the Whistleblower began its work only in 2011, more announcements of large awards are likely to come. And, as more and larger awards are announced, the threat of whistleblower reporting outside a company’s internal reporting structure is likely to increase.

IV. Reminder for Public Companies Dealing with Whistleblowers10

The SEC’s third award under the whistleblower provisions of the Dodd-Frank Act provides a strong reminder to public companies of the critical importance of establishing and maintaining a tailored compliance and internal reporting program. Indeed, as more awards are announced—especially of this magnitude—knowledge of the SEC’s whistleblower bounty program will spread, which, in turn, should prompt companies and financial services firms to take steps to ensure the effectiveness of their compliance and internal reporting systems. Although off-the-shelf programs may be a useful start, they are unsuitable as a final form for most public companies. Guidance from both DOJ and the SEC stress the importance of having a compliance program tailored to specific risks and nuances of a company and its industry.11

Companies should strive to encourage employees to report any suspected violations of law or the company’s code of conduct to company compliance, internal audit, or legal personnel. Company culture, including “tone at the top”, is an important factor not only in encouraging employees to make use of internal reporting systems but also in demonstrating a commitment to compliance with the laws. Companies should ensure that employees are trained on the company’s code of conduct and on the requirement to comply with applicable laws, including the Foreign Corrupt Practices Act (“FCPA”) and the UK Bribery Act.12 During the training, appropriate emphasis should be placed on encouraging employees to utilize internal reporting channels, such as anonymous hotlines, and on the importance of reporting violations of the code of conduct or laws. Such training programs are critical to reducing violations of law, to mitigating any sanctions for the company if employees violate the law,13 and to encouraging internal reporting of suspected misconduct.

A critical component of every corporate compliance program, especially now, is a formalized process to identify and promptly respond to potential violations of federal securities laws. Companies should have anonymous reporting hotlines and should develop a system in which tips and complaints can be prioritized based on risk. A pre-identified outside counsel should be engaged to investigate more serious allegations such as alleged misconduct by management, violations of the FCPA, and significant accounting violations. With the potential for employees to go straight to the SEC with allegations, companies must treat every allegation seriously and promptly investigate potential violations of federal securities laws so that the company can be in a position to remediate the wrongdoing and to self-report the possible violations to the SEC and, where appropriate, to the DOJ.

Companies face additional challenges in situations where a whistleblower complaint is brought to their attention in the first instance by the SEC. In those instances, companies should recognize that the SEC Enforcement Staff nonetheless will welcome a credible and thorough internal investigation, even after having received a whistleblower tip or complaint.14

Given the Dodd-Frank Act’s anti-retaliation provisions,15 companies should consider whether and to what extent they want to take steps to identify the individual who reported to the Commission. If a company has uncovered the identity of the whistleblower, then it must determine whether and to what extent it wants to keep the whistleblower informed of the status (but probably not the findings) of the internal investigation.