In 2010, Congress enacted landmark federal legislation aimed at reforming the health care and financial sectors. Both the Patient Protection and Affordable Care Act of 20102 and the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”)3 provide expansive protection to whistleblowers in the health care and financial services industries. Each of these statutes contains whistleblower provisions aimed at providing remedies for persons who suffer adverse employment action because they blow the whistle on alleged abuses within those sectors.

The most controversial aspects of these new laws are the new financial incentives (hereinafter called “bountyhunter provisions”), which are similar to the financial incentives available in qui tam actions under the federal False Claims Act. Section 922 of the Dodd-Frank Act creates new financial rewards for employees who raise concerns – anonymously if they wish – about violations of laws or regulations within the purview of the Securities and Exchange Commission (“SEC”) and the Commodity Futures Trading Commission (“CFTC”).

These new anonymous bountyhunter provisions crystallize an issue that has vexed employers for years: How can companies effectively encourage their employees to report their concerns through their employers’ internal compliance programs, rather than going externally to enforcement agencies such as the SEC or the CFTC? Determining the right approach now is more important than ever given the potentially large financial rewards available to employees under the Dodd-Frank Act, and the SEC’s recently proposed Regulation 21F, which create incentives for employees to raise concerns externally rather than internally.

The short answer is that employees will be reluctant to utilize their employers’ internal compliance programs if they fear retaliation for doing so. How can companies dispel employees’ fear of retaliation? A culture of compliance, in which compliance is woven into the fabric of corporate life, and in which employees who raise concerns about compliance feel that their voices are heard without retribution, can be an effective antidote to fear of retaliation.

Written Policies Are Essential, But Are Not Enough

Every employee is in a position to judge his or her employer’s actions against the words written in corporate policies. The best compliance program on paper is undermined when employees perceive that corporate action is inconsistent with corporate policy. The last eight years since the passage of the Sarbanes- Oxley Act of 2002 (“SOX”) have provided employees with some criteria for judging employers’ actions against their words.

Under SOX, every company whose stock is publicly traded on the New York Stock Exchange or NASDAQ has been required by those exchanges to implement a Code of Conduct, one aspect of which is assuring employees that they will not suffer retaliation for raising concerns about violations of Codes of Conduct4. Moreover, SOX required publicly traded companies to implement an anonymous channel for employees to report directly to the Audit Committee of the Board of Directors5.

A good starting point to determine whether a company’s employees believe that their employer has an effective culture of compliance would be for companies to ask themselves how they think their employees would answer questions such as the following (or to conduct an employee survey along the same lines):

  • Are you aware of the company’s Code of Conduct?
  • Do you believe that the company’s executive management truly wishes all of its employees to comply fully with the Code of Conduct?
  • Are you aware of the mechanisms the company has in place for employees to raise any concerns about violations of the Code of Conduct including, but not limited to, the anonymous channel for employees to raise concerns directly to the Audit Committee?
  • Do you believe that the company takes seriously concerns raised by employees about compliance with the Code of Conduct?
  • Do you believe that employees may raise concerns about violations of the Code of Conduct without fear of retaliation?
  • How effectively does the company communicate to employees about the importance of compliance with the Code of Conduct?

If answers to questions such as the foregoing are problematic, then there is some risk that employees perceive that the compliance efforts required by SOX have been ineffectual at that particular company. If companies are concerned that their employees have such a perception, then significant measures should be taken to strengthen their cultures of compliance.

Weaving Compliance Into the Fabric of Corporate Life

While appropriate compliance mechanisms will vary depending on the nature of each company’s business, size, geographic locations, and other factors, every company has regular practices that touch their employees’ lives. The lack of discussion of compliance as a part of such regular practices may wrongly convey the message that compliance is not important enough to be mentioned. Such regular practices may include:  

  • New hire orientation, including training (for managers and non-managers);
  • Distribution of employment agreements (e.g., confidentiality agreements) and employment manuals;
  • Performance evaluations, including awarding bonuses, incentive compensation and equity;
  • Annual or other regular refresher training (for managers and non-managers);
  • Annual or other regular certifications about knowledge (or lack of knowledge) about violations of Codes;
  • Messages from executive management (“setting the tone from the top”);
  • Postings on internal websites;
  • Creation of additional mechanisms for expression of concerns internally, such as the office of a corporate ombudsman;
  • Distribution of annual reports to shareholders; and
  • Other communications unique to particular organizations.

Perhaps in the past corporations could safely assume that all employees would be ethical, honest, and willing to raise concerns about compliance through internal programs, without the need to encourage them. Today, however, such an assumption may not be prudent in light of the significant financial incentives for employees to go outside the company’s internal system.

Persuading Employees that Retaliation is Not Tolerated

Well-crafted messages about compliance may be skeptically received unless employees perceive that they may safely raise concerns about compliance without suffering retribution.

The first step in persuading employees that they will not be subjected to retaliation is to train management. All managers are not created equal with respect to legal sophistication or common sense. Managers need to be trained about the “context matters” standard for retaliation set forth by the U.S. Supreme Court in employment discrimination cases. Under that standard, the measure of retaliation is whether the “employer’s challenged action would have been material to a reasonable employee,” and likely would have “dissuaded a reasonable worker from making or supporting a charge of discrimination.” Managers can be surprised that adverse employment action well short of discipline, let alone termination, may rise to the level of retaliation under employment laws including the whistleblower protection provisions under SOX.

Second, employees may judge their employers’ commitment to compliance by drawing conclusions from employer practices such as the following:

  • Is there a specific person (such as a Compliance Officer) or department that is responsible for compliance?
  • Does the person responsible for compliance reports have any real influence in the organization? (E.g., how many employees report directly to the person responsible for compliance? To whom does the person responsible for compliance report? What is the budget? Is the compliance function represented on the Board of Directors?)
  • Are there multiple channels for employees to report their compliance concerns? (E.g., ombudsman’s office; telephonic hotline; web-based hotline.)
  • Are employees regularly asked whether they are aware of any compliance violations, and are employees assured they will not suffer retaliation at the same time?
  • What happens to employees who raise concerns about compliance? (E.g., are they thanked for raising their concerns, encouraged to raise any additional concerns, or commended in their performance evaluations? Do they quietly disappear from the company?)
  • Does the company publicize the number of employee concerns raised about compliance, and how they were resolved?
  • Does the company incentivize employees by providing recognition or rewards to those who immediately report instances of fraud or misconduct inside the company?  

As is often the case with any dealings with employees, the tone of dealing with employee concerns about compliance may be equally if not more important than anything else. A workforce that feels listened to when raising concerns about compliance is less likely to go outside the company than a workforce that feels disregarded or disrespected.

Third, some companies may have sufficient historical information since SOX was enacted to determine which corporate departments generate the most concerns about shareholder fraud. Such historical data can be used to design and implement specialized training for such departments. In many publicly traded companies, the finance and accounting departments should be candidates for specialized training regardless of their track records for generating concerns.


Internal compliance programs are generally recognized as the first line of defense against shareholder fraud. Employers are in a position to appeal to their employees’ consciences by encouraging immediate internal reporting of concerns about shareholder fraud, so that companies can stop any illegality as early as possible. Any appeals to conscience will be strengthened if employees believe that their employers will respond appropriately, including ensuring that employees who raise concerns are not subjected to retaliation.