Audit and compliance personnel have long played a vital role in identifying and preventing potential wrongdoing within companies. The Securities and Exchange Commission’s whistleblower program, which incentivizes insiders to provide information about potential issues, heightened the importance of a robust corporate audit and compliance function. Issues that once were resolved internally within a company, might now also be brought to the attention of the SEC.
Companies that foster an internal culture of compliance often earn themselves valuable opportunities to determine the best course of action for an issue before the SEC calls. In particular, two SEC whistleblower awards to audit and compliance employees – totaling almost $2 million – provide helpful reminders that internal reports of potential wrongdoing should be taken seriously, investigated promptly, and addressed appropriately.
The SEC’s Two Whistleblower Awards to Audit and Compliance Personnel
The SEC created its whistleblower program under the Dodd-Frank Wall Street Reform and Consumer Protection Act to encourage submission of information that aids the Division of Enforcement in investigating and pursuing potential securities fraud. Individuals who voluntarily provide original information that leads to a successful enforcement action resulting in monetary sanctions over $1 million may receive an award of 10% to 30% of the amount collected by the SEC. Since its inception in 2011, the program has paid over $50 million to 17 whistleblowers, the bulk of which is comprised of a $30 million award announced in September 2014 and a $14 million award announced in October 2013.
Typically, personnel whose principal duties involve internal audit or compliance responsibilities, or employees of a firm retained to perform these functions for an entity, are not eligible for whistleblower awards if they obtained reported information because of their audit or compliance functions. Companies and the SEC benefit from audit and compliance personnel focusing on helping the company work though potential issues internally, unless and until self-reporting to the SEC is deemed the best course.
Yet – in the words of the SEC staff – audit, compliance, and legal personnel stand “on the front lines in the battle against fraud and corruption” and often are privy to “specific, timely, and credible information.” 1 The SEC thus established three exceptions to allow audit and compliance to recover whistleblower awards.
First, an audit or compliance employee may be eligible for an award if (s)he reasonably believed that disclosure to the SEC was necessary to prevent conduct likely to cause “substantial injury to the financial interest or property of the entity or investors.” On April 22, 2015, the SEC announced the award of between $1.4 million and $1.6 million to a compliance professional under this exception.2 When announcing this award, the SEC staff highlighted that “responsible management at the entity became aware of potentially impending harm to investors and failed to take steps to prevent it.”
Second, an audit or compliance professional may be eligible for an award by reporting that a company is engaging in conduct that impedes an investigation. The SEC has not yet granted a whistleblower award under this narrow exception. But the exception is straightforward – if company leadership actively deceives investigators, the SEC has encouraged audit and compliance personnel to come forward.
Third, an audit or compliance professional may be eligible for a whistleblower award if 120 days have passed since (s)he reported the information to the company’s audit committee, chief legal officer, chief compliance officer, or supervisor. On August 29, 2014, the SEC announced the award of over $300,000 under this exception to an employee who performed audit and compliance functions and reported concerns of wrongdoing that led directly to an SEC enforcement action.3 The SEC’s release stated that although the whistleblower first reported the matter within the company, the company took no action on the information within 120 days. The whistleblower thereafter reported the same information to the SEC, which initiated an enforcement action, and ultimately received a 20% award.4
Takeaways From Whistleblower Awards to Audit and Compliance Personnel
Nothing requires whistleblowers to first report their concerns internally. Yet by fostering an internal culture of compliance, companies can better encourage internal reporting as a first choice, thus allowing audit and compliance personnel to fulfill their important roles. Implementing the below takeaways should help nurture that environment. Moreover, since internal whistleblowers might also report their concerns to the SEC, implementing the takeaways outlined below better positions the company when addressing a specific matter with the SEC.
- Ensure a Clear Internal Reporting Program. Companies of all sizes should ensure that the mechanisms for receiving and addressing internal reports are clearly articulated and performed. Experienced corporate and enforcement counsel can help. At a minimum, programs should be publicized to employees, demonstrate that internal reports are received and addressed appropriately and promptly, and be visibly supported by senior leadership. As SEC Chair White recently explained at a conference, compliance should “become the zeitgeist” of the institution.
- Stop Ongoing Unlawful Activity. Supervisory personnel who learn of ongoing wrongdoing are well-advised to take steps to stop that activity as soon as practical. Whether reported conduct is unlawful is not always obvious, and halting conduct is not always a simple exercise. Nevertheless, taking proactive steps promptly certainly helps demonstrate to regulators that the company views compliance seriously.
- Investigate Internal Reports. An internal investigation often is required to analyze the full context to a whistleblower report, identify the scope of any issues, and determine potential responses. Undertaking a thorough, targeted, and prompt investigation can significantly improve any interactions with the SEC about a matter. Conversely, an insufficient investigation may taint those interactions. Outside counsel, particularly former SEC enforcement counsel, is well-positioned to best ensure that a company benefits from its internal investigation and any remedial action based on the findings.
- Talk to the Whistleblower. Internal investigations almost always start with a discussion with the internal whistleblower. This conversation often helps frame the issues, provides further details about the reported concerns, and provides an opportunity to assure the internal whistleblower that the company is taking the matter seriously. Internal whistleblowers also should be kept appropriately apprised of the status and conclusions of an investigation. Internal whistleblowers who feel that their concerns are being appropriately addressed may feel less compelled to report externally to the SEC.
- Protect Privileges. Deciding to waive privileges vis-à-vis the SEC should not be lightly made. Whistleblower awards typically are not available to individuals who report information protected by the attorney-client privilege. To better protect the company’s privileges, therefore, counsel should be involved in and direct most internal investigations. Moreover, companies should consider whether to structure reporting lines so that internal investigatory personnel report to the legal department.
- The 120-Day Check Point. Companies, often aided by former SEC enforcement counsel, must consider whether to self-report a matter to the SEC staff. Doing so may garner cooperation credit for the company, which might reduce potential sanctions. But after careful consideration of an internal report, a reasonable investigation, and thoughtful analysis of relevant factors, a company may choose not to self-report a particular issue. Once the SEC contacts the company about a matter, however, the opportunity for voluntarily self-reporting has passed. Companies thus should regard the above-discussed 120-day time frame contained in the whistleblower program to be a critical check-point for the self-reporting determination.
- Reasonable Remediation. After a careful analysis of the investigatory record, stakeholders must decide what remedial action, if any, should result. Numerous factors influence the decision, and counsel is well-equipped to navigate to a result. In any instance, the remediation decision and rationale should be documented in the event it is later revisited and questioned.
- Avoid Retaliation. The SEC actively penalizes perceived attempts to punish or dissuade use of the whistleblower program. The SEC charged one entity for allegedly retaliating against a whistleblower who reported potentially illegal activity to the SEC.5 That whistleblower later received a more than $600,000 award from the SEC.6 The SEC also recently announced a settlement with a federal contractor whose confidentiality agreements signed by witnesses in internal investigations allegedly prohibited the employees from discussing with government regulators, absent specific authorization from the company, the subject matters covered during the internal interviews.7 Members of the SEC staff have indicated that the SEC is actively monitoring for further instances that would send a strong message in these areas. Clearly, companies should avoid retaliatory acts. Companies and their counsel also should proactively scrutinize confidentiality, severance, and similar agreements for provisions that the SEC may regard as stifling potential whistleblowers.
- Do Not Impede The Regulators. Companies and their personnel should not take steps to actively hinder an SEC investigation. Upon receipt of an SEC subpoena, companies should take steps to ensure the preservation of relevant documents and information. Typically, this includes circulating preservation notices, modifying standard document retention practices, and collecting relevant documents from key personnel. Outside counsel often can efficiently aid in this process.
The SEC’s whistleblower awards to audit and compliance personnel illustrate that companies are well-advised to foster internal reports of potential misconduct, and to take appropriate action upon receiving any such reports.