On May 25, 2010, the Securities and Exchange Commission (SEC) released its final rules implementing Section 922 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) (§ 21F of the Securities Exchange Act of 1934 (SEA)).1 These rules enable a whistleblower to obtain a bounty where she or he voluntarily provides the SEC original information that leads to the successful enforcement of a federal court or administrative action where the SEC obtains sanctions exceeding $1 million. The bounty will range from 10% to 30% of the recovery. This framework is similar to the federal False Claims Act (which offers financial rewards to whistleblowers) and different from Section 806 of the Sarbanes-Oxley Act of 2002 (SOX) (which prohibits retaliation but does not offer monetary incentives).
The following describes the key aspects of these rules, identifies the risks these rules present to employers and shareholders and provides a range of steps employers may take to minimize the risk that the rules will encourage employees to bypass internal compliance programs.
Impact On Compliance Programs
The SEC will consider whether a whistleblower complained internally in exercising its discretion to decide on the size of any bounty exceeding 10% of the government's recovery. The SEC may increase awards where whistleblowers use internal compliance channels and may decrease an award where a whistleblower disrupts internal compliance efforts. Also, where a whistleblower reports original information through a company's internal compliance channels, and the company then reports the information to the SEC, all of the information the company provided to the SEC will be attributed to the whistleblower. In other words, under such a scenario, the whistleblower will be credited for any additional information the company's investigation generated. In addition, if a whistleblower provides information internally to a person with legal, compliance, audit, supervisory or governance responsibilities, and then submits the same information to the SEC within 120 days, the SEC will consider the whistleblower to have provided the information to the SEC as of the time it made an internal complaint. (The proposed rules provided a 90-day "grace period.") Thus, the whistleblower keeps her or his "place in line" through this 120-day grace period.
To be eligible for a bounty, whistleblowers must provide "original information." The rules define "original information" as information derived from the independent knowledge or analysis of the whistleblower, not already known to the SEC from any other sources, and not exclusively derived from allegations made in a judicial or administrative hearing, government report, hearing, audit, or investigation, or from the news media. In addition, "original information" only includes information provided to the SEC for the first time after July 21, 2010 (the date Dodd-Frank was enacted).
As noted, original information must derive from a whistleblower's "independent knowledge." The rules define "independent knowledge" as factual information in the whistleblower's possession that is not obtained from publicly available sources (e.g., corporate press releases and filings, media reports, and information on the Internet), and sources that, though not widely disseminated, are generally available to the public (e.g., court filings and documents obtained through Freedom of Information Act requests). This definition does not require that a whistleblower have direct, first-hand knowledge of potential violations. Rather, the whistleblower may obtain her or his knowledge from observations, communications, and independent analysis of publicly available information.
"Independent knowledge" does not include information that is:
- Subject to the attorney-client privilege;
- Learned through legal representation, even if not privileged (this includes in-house counsel), unless the disclosure has been permitted;
- Secured through an engagement required under the securities laws by an independent public accountant if the information relates to a violation by the engagement client or the client's directors, officers, or other employees;
- Obtained by officers, directors, trustees or partners of an entity who are informed of allegations of misconduct, or who learn the information in connection with the entity's processes for identifying, reporting and addressing possible violations of the law (such as through a help-line);
- Obtained by employees whose principal duties involve compliance or internal audit responsibilities or employees of outside firms retained to perform compliance or internal audit work; Obtained in a manner that is determined by a domestic court to violate applicable federal or state criminal law; or
- Information that is obtained from a person who is subject to the above exclusions, unless the information is not excluded from that person's use, or the whistleblower is providing information about possible violations involving that person.
There are broad exceptions to the foregoing limitations. In certain circumstances, compliance and internal audit personnel, as well as public accountants, could become whistleblowers when:
- The whistleblower believes her or his disclosure may prevent substantial injury to investors;
- The whistleblower believes that the entity is engaging in conduct that will impede the investigation;
- At least 120 days have elapsed since the whistleblower reported the information to her or his supervisor or the company's audit committee, chief legal officer, chief compliance officer ? or at least 120 days have lapsed since the whistleblower received the information, if the whistleblower received it under circumstances indicating that the foregoing individuals already are aware of the information.
The rules do not categorically bar all whistleblowers who engage in misconduct that is the subject of the SEC's action or a related action from recovery. But they impose the following limitations on recovery:
- In determining whether the $1 million threshold is met, the SEC will not include sanctions that the whistleblower is ordered to pay, or that are ordered against an entity whose liability is based "substantially" on conduct that the whistleblower directed, planned or initiated;
- A bounty will not be awarded to a whistleblower who is convicted of criminal violations related to the action for which she or he provided information; and
- A bounty will not be awarded to a whistleblower who obtains the information through audits of financial statements required by securities laws and for whom submission would be contrary to the requirements of Section 10A of the SEA.
A whistleblower will not be deemed to have voluntarily submitted information to the SEC where:
- She or he is required to report information to the SEC arising out of: (i) a pre-existing legal duty; (ii) a contractual duty to the SEC, the Public Company Accounting Oversight Board (PCAOB), self-regulatory organizations, Congress, other federal governmental authorities, or a state Attorney General or securities regulatory authority; or (iii) a duty that arises out of a judicial or administrative order to report the information to the SEC; or
- She or he provides the SEC with information after receiving a request that relates to the subject matter of the submission by the SEC; in connection with an investigation, inspection, or examination by the PCAOB or any self-regulatory organization; or in connection with an investigation by Congress, other federal governmental authorities, or a state Attorney General or securities regulatory authority.
Aggregation Of Actions
For purposes of determining whether the $1 million bounty-eligibility threshold is met, the SEC will aggregate two or more smaller actions that arise from the "same nucleus of operative facts." As a practical matter, this will make bounties available in more cases.
Whistleblowers are protected against retaliation even where they are not eligible for a bounty, and companies may not hinder a whistleblower's ability to communicate with the SEC. Notably, in contrast to the proposed rules, the final rules require a whistleblower to have a reasonable belief that the information she or he is providing relates to a possible securities law violation (or, where applicable, to a violation of the provisions in Section 806 of SOX) that has occurred, is ongoing, or is about to occur. The rules provide that "[t]he 'reasonable belief' standard requires that the employee hold a subjectively genuine belief that the information demonstrates a possible violation, and that this belief is one that a similarly situated employee might reasonably possess." Moreover, the following bears on whether an employee's belief is reasonable: whether the information provided to the SEC is specific, credible and timely; whether it is related to a matter that is already under investigation by the SEC but significantly contributes to the investigation; and whether it was reported internally and then disclosed by the company (and satisfies either of the foregoing considerations).
The Dodd-Frank bounty provisions and the SEC's implementing rules give employees a incentive to bypass the internal compliance mechanisms mandated by SOX, and complain directly to the SEC. The potential consequences are daunting, as circumvention of internal compliance mechanisms will make it difficult for companies to promptly address the fraudulent conduct that forms the basis of the whistleblower's tip to the SEC.
Thus, employers need to strengthen compliance programs and take calculated steps to heighten the likelihood that employees will use internal channels for lodging complaints. Employers should consider the following range of available measures:
- Create a culture of integrity through top-down transparency and accountability and continually communicating a commitment to ethics to employees of all levels;
- Train managers to be receptive to and supportive of employee complaints and concerns regarding any perceived improprieties that could amount to fraud;
- Institute help-lines (allowing anonymous reports) and multiple other channels for submitting complaints;
- Educate employees through training and widely disseminated and easily accessible policies regarding the available methods of submitting complaints internally;
- Develop and broadly disseminate comprehensive codes of conduct and ethics and related policies that encourage internal complaints and prohibit retaliation;
- Embrace good-faith whistleblowers as assets who are well-positioned to expose and help ferret out potential fraud;
- Reward whistleblowers for providing the company with information that enables it to identify and address incidents of fraud (myriad types of awards, including monetary and non-monetary awards, may be considered); and
- Include the concept of "fostering a culture of ethics and accountability" among the criteria used to evaluate managers' performance.