On August 29, 2014, the Securities and Exchange Commission (“SEC”) announced a whistleblower award of more than $300,000 for a company employee who performed audit and compliance functions.1 The award, twenty percent of the amount the SEC collected in an enforcement action, represents the first for a company employee with audit or compliance responsibilities.2 It also demonstrates that previously-raised concerns about the implications of the SEC paying whistleblower awards to compliance and audit personnel were well-founded and should be considered by companies in connection with the design and implementation of their compliance programs.3
The SEC’s Whistleblower Regulations
The SEC’s Regulation 21F provides that whistleblowers who provide original information that leads to an enforcement action resulting in sanctions greater than $1 million may be awarded between ten and thirty percent of any amounts recovered by the SEC in a judicial or administrative action,or related action.4 To qualify for an award, the whistleblower must supply original information that is the product of his/her “independent knowledge” or “independent analysis.”5 Although compliance officers and internal auditors are generally not considered sources of original information,6 if they have reported allegations of misconduct to their supervisor, chief legal or compliance officer, or the audit committee, they can, after waiting 120 days from the date of an initial report, report the allegations to the SEC and be eligible for an award (assuming the SEC has not already received the information from another source, such as an employee who originally reported the alleged misconduct).7
The SEC’s order announcing the $300,000 award details this exception, noting that the whistleblower had obtained the information (that was relayed to the SEC) by virtue of his/her role in the organization.8 Although the SEC’s order does not detail the whistleblower’s position or the nature of the information he/she relayed to the agency, it is clear that the employee became eligible for an award when the information he/she reported internally was not reported by the company to the SEC within 120 days and the company failed to take reasonable steps to respond to the allegations. In that regard, the SEC’s press release announcing the award affirmed that an employee responsible for compliance, audit, and/or legal functions “may be eligible for an SEC whistleblower award if their companies fail to take appropriate timely action on information they first reported internally.”9
The limit Regulation 21F places on receipt of an award by compliance and audit personnel is linked with the regulation’s 120-day “look back” provision, which provides that employees have a 120-day window within which to report original information to the SEC after they have already reported it internally.10 The regulation thus contemplates that the employee holding information regarding misconduct has the first opportunity to report to the SEC as an original whistleblower; however, if the employee allows 120 days to pass before informing the SEC, the person the employee informed about the misconduct, such as a compliance officer or internal auditor, may inform the SEC and be first in line for any award.
Best Practices for Managing Internal Whistleblower Complaints
The SEC’s award again highlights the risks a company can face if it fails to promptly respond to whistleblower complaints and to address the concerns of both the employee who reports the alleged wrongdoing and, where applicable, the recipient of the information in the company’s audit or compliance group. It also serves as a reminder that the SEC’s whistleblower rules create strong financial incentives for nearly all employees, including compliance and audit personnel who are uniquely positioned to learn of allegations of misconduct, to report such allegations to the SEC.11 Thus, companies would be well-advised to consider the following measures to address the possibility that their own compliance officers or auditors may reject internal mechanisms for addressing alleged wrongdoing and seek to profit from information they acquire in the course of their duties:
- Support of Compliance and Audit Personnel: Companies should ensure that their compliance and audit team members are supported in their mission and empowered to adequately investigate allegations of wrongdoing. Frustrated compliance and audit personnel may be more inclined to report to the SEC anonymously, in part because they may be concerned about their own liability if allegations of wrongdoing are not addressed appropriately.
- Managing Investigations of Allegations of Misconduct: Companies should carefully consider how to manage investigations of allegations of wrongdoing that may implicate federal securities law violations, bearing in mind that privileged information may not be used as a basis for whistleblower rewards. Many companies rely on non-lawyers, including human resources, corporate security or internal audit personnel, to conduct preliminary investigations of such allegations. Carefully screening the allegations and, where warranted, having them investigated under the direction of a lawyer, will increase the likelihood that the impressions of investigators will be protected by the attorney-client privilege and not constitute original whistleblower information.
- Communicate with Potential Whistleblowers About the Investigation: Companies should let all potential whistleblowers, including compliance and audit personnel with knowledge of allegations of wrongdoing, know that a complaint is being taken seriously and, to the extent circumstances permit, keep the employees apprised of the inquiry. This may help delay or prevent an unnecessary whistleblower report to the SEC. Companies also should document all communications with prospective whistleblowers.
- Respond Within 120 Days to Legitimate Complaints: As the SEC noted, the employee became eligible for a whistleblower award after the company had failed to report the alleged wrongdoing in a “timely” manner, that is, within 120 days. This underscores the importance of companies addressing allegations promptly and making a decision as to whether to disclose sooner rather than later, particularly if they want credit for voluntary disclosure. Companies also should remember that even after the 120-day time limit for regular employees to submit reports to the SEC has passed, a compliance officer or auditor could still submit information they received internally to the SEC and profit from doing so.
The SEC’s whistleblower award of $300,000 to an employee with compliance and audit responsibilities sends a clear message that the agency encourages disclosures from personnel companies engage to help them prevent, detect and address wrongdoing internally, not disclose it externally. While there may be circumstances where internal processes fail and disclosure is justified, encouraging disclosure by such employees, some of whom may be motivated by the prospect of financial gain, rather than doing the right thing, is likely to complicate, not complement, internal compliance efforts. Thus, while a single award does not constitute a trend, companies nonetheless would be well-advised to carefully and timely respond to all credible whistleblower allegations implicating potential federal securities law violations and to ensure that the sources and recipients of such allegations are kept reasonably informed of the nature and extent of the response to the allegations.