The 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”) added Section 21F to the Exchange Act, entitled “Securities Whistleblower Incentives and Protection.” This new section requires the SEC to pay awards to whistleblowers who provide the SEC with original information about a violation of the federal securities laws that leads to successful enforcement action and monetary sanctions in excess of $1 million. On May 25, 2011 the SEC adopted final rules to implement this Dodd-Frank mandate (“Whistleblower Rules”). The Whistleblower Rules define the conditions that must be met for whistleblowers to be eligible for an award. They include provisions to protect whistleblowers from retaliation, and encourage (but do not require) whistleblowers to utilize a company’s internal reporting system. The full text of the adopting release for the Whistleblower Rules is available at http://www.sec.gov/rules/final/2011/34-64545.pdf.
Who can qualify as a whistleblower?
A whistleblower is an individual who voluntarily reports a possible violation of federal securities laws that has occurred, is ongoing or is about to occur. A whistleblower may be an employee of the company that is the subject of the report, but need not have any connection with the company at all.
Some categories of individuals whose job duties specifically involve the identification and remediation of potential internal control issues are not eligible for awards under the Whistleblower Rules except under limited circumstances. For example, the following categories of individuals are generally not eligible for awards:
- Officers, directors, trustees or partners of a company who learned of the possible violation in connection with the company’s compliance processes;
- Employees whose principal job duties involve compliance or internal audit, or persons hired by a company to perform compliance or internal audit functions, or to investigate possible violations of law; and
- Employees of public accounting firms who obtained the information through performance of engagements required by the federal securities laws, when the information relates to a violation by the client or its directors, officers or other employees.
These excluded individuals can be eligible for awards under the Whistleblower Rules in some special circumstances. In particular, they may be eligible if:
- They have a reasonable basis to believe that disclosure of the information to the SEC is necessary to prevent the company from engaging in conduct that is likely to cause substantial injury to the financial interest or property of the company or investors;
- They have a reasonable basis to believe that the company is engaging in conduct that will impede an investigation of the misconduct; or
- 120 days have elapsed since they provided the information to the company’s audit committee, chief legal or compliance officer, or the individual’s supervisor, or if 120 days has elapsed since the individual received the information under circumstances that would indicate that the audit committee, chief legal or compliance officer, or the supervisor, was already aware of the information.
One interpretative aspect of the Dodd- Frank mandate involved the extent to which the whistleblower’s culpability in the reported violation would disqualify that person from receiving an award. As adopted, the rules provide that fraud or misconduct on the part of the whistleblower, even if it is the same fraud or misconduct that is being reported, does not per se disqualify the whistleblower from receiving an award. However, sanctions levied against the whistleblower, or ordered against the company based substantially on the whistleblower’s own conduct, will be excluded for purposes of determining whether the $1 million minimum threshold is reached, and will be a negative factor in calculating the amount of any award to that whistleblower.
Information obtained through a communication that was subject to the attorney-client privilege will not be eligible for a whistleblower award. This applies to priviledged communications with both in-house and external counsel. However, if the attorney-client privilege has been waived – a determination that is often subject to judgment and difficult to determine – the information may be the subject of an award.
When is information “voluntarily” provided?
In order to secure an award, an individual must voluntarily supply original information about securities violations to the SEC. If a report is made in response to a demand, inquiry or request from the SEC, PCAOB, Congress or a self-regulatory organization, the information is not considered voluntary and thus cannot be the basis for an award. Similarly, individuals under a pre-existing contractual or legal duty to report the original information to the SEC or other authorities will not meet the “voluntary” requirement and will not be eligible for an award.
What is “original information”?
Original information is information derived from the whistleblower’s independent knowledge or analysis that was unknown to the SEC before the whistleblower provided it. Information available from the news media, or stemming from allegations made in judicial or administrative hearings or governmental reports, hearings, audits or investigations, will generally not be considered original information for purposes of an award.
Is there any requirement that the information be reported through the company’s internal whistleblower system?
The Whistleblower Rules do not require that an individual first make a report through the company’s internal reporting procedures. In recognition of the positive effects of adopting and enforcing robust internal controls to detect and prevent improper behavior, the Whistleblower Rules do contain some incentives for individuals to utilize corporate internal compliance programs to report potential misconduct:
- Reporting suspected wrongdoing through an internal compliance program may increase the amount of an award, while interfering with an internal compliance program may decrease an award.
- Employees who first report suspected wrongdoing internally will be treated as having provided “original information” to the SEC if the information was not already known to the SEC as of the date of the internal reporting, so long as the individual submits the same information to the SEC within 120 days.
- Whistleblowers who report original information through a company’s internal compliance program will be credited with not only the original information but also any additional information provided by the company which leads to a successful enforcement action.
It is notable that, to be eligible for an award, someone who has followed internal procedures and reported a potential violation through the company’s internal whistleblower program must still report it to the SEC within 120 days after making the internal report. As a consequence, if a company receives what appears to be a legitimate whistleblower complaint and undertakes a comprehensive internal investigation, it is now more likely that the SEC will be brought into the picture – and brought in at an earlier point in time – than would have ever been the case historically.
How are whistleblowers protected against retaliation for reporting information to the SEC?
The Whistleblower Rules specify that whistleblowers who provide information to the SEC are protected from retaliation if the whistleblower possesses a “reasonable belief” that the information he or she provides relates to a possible federal securities law violation that has occurred, is ongoing, or is about to occur. The anti-retaliation provisions protect whistleblowers regardless of whether they ultimately qualify for an award. Key to appreciating the anti-retaliation protections is recognition that the whistleblower need only report a possible violation – an actual violation of the securities laws is not necessary. In order to have a “reasonable belief,” an employee must genuinely believe the information demonstrates a possible violation of the securities laws, and the belief must be one that a similarly situated employee might possess.
Can we adopt a policy requiring employees to report violations to the company internally before submitting a report to the SEC?
No. The anti-retaliation provisions of the Whistleblower Rules protect the employee from being disciplined for behavior in accordance with the Rules, including reporting directly to the SEC. A company policy requiring internal reporting could not be enforced without violating those antiretaliation provisions. However, there is, of course, nothing objectionable about encouraging internal reporting and reinforcing internal compliance programs.
What financial incentives are being offered to whistleblowers?
If monetary sanctions in excess of $1 million are ultimately collected as a result of a successful enforcement action based on the whistleblower’s information, eligible whistleblowers may receive payments of 10% - 30% of the amount collected, in the discretion of the SEC. Two or more smaller actions with the same nucleus of facts may be aggregated to meet the $1 million dollar threshold. The Whistleblower Rules spell out several factors to be considered in determining the amount of the award.
What is the effective date of the Whistleblower Rules?
These rules will be effective August 12, 2011.
How do the Whistleblower Rules affect our company’s internal procedures?
The Whistleblower Rules do not require companies to adopt any new policies or procedures. Nor do they mandate any new company disclosure. However, the creation of a formal SEC whistleblower program, and financial incentives for individuals to report information, are likely to increase the level of whistleblower activity. As a result, companies should anticipate an increase in the pace of internal or other investigations and related costs.
Now would be an appropriate time for companies to:
- Review internal whistleblower procedures, and update them in accordance with industry best practices or developments in the company’s business;
- Review internal training and compliance programs to ensure that employees generally know their responsibilities and the company’s expectations about reporting possible violations internally so that the company can take corrective action on a timely basis; and
- Investigate any reports of possible wrongdoing promptly.