On May 25, 2011, the Securities and Exchange Commission adopted final rules implementing the whistleblower provisions of the Dodd-Frank Act, Section 21F of the Securities Exchange Act of 1934. Under Dodd-Frank, the SEC is required to award a whistleblower between 10 percent and 30 percent of any recovery in a successful enforcement action based on the whistleblower's allegations, where the action results in a recovery of monetary sanctions exceeding $1 million. Dodd-Frank also contains enhanced provisions protecting whistleblowers from retaliation, and the final rules make it a violation to prohibit or impede external reporting by whistleblowers.

Much of the comment and controversy around the rules centered on the impact of incentivizing whistleblowers to contact the SEC without first relying on corporate compliance programs that include effective whistleblowing processes. Although the final rules permit whistleblowers to bypass internal processes, the rules and the SEC's comments also provide important opportunities and incentives for companies to establish and maintain effective compliance regimes.

First, the SEC permits companies to encourage employees to report suspected misconduct internally in the first instance. Internal reporting has significant benefits for companies, including the ability to investigate suspected misconduct quickly, to root out problems early, to control the investigative process, and to self-report to the government in appropriate cases, thereby obtaining credit for having done so.

Second, the SEC offers clear benefits to companies that take compliance seriously, that have the right "tone at the top" and effective policies and procedures. Such companies are more likely to receive the opportunity to conduct an internal investigation, and report the results back to the SEC, even after a whistleblower has gone directly to the agency. This is a logical enforcement scheme given the agency's limited resources, and it provides a company with many of the benefits that flow from internal reporting: the opportunity to control the investigative process and to learn quickly and comprehensively whether there are serious problems, as opposed to enduring a lengthy and costly enforcement investigation.

It is, therefore, critically important for companies to be aware of the rules, maintain effective compliance programs, and know how to respond effectively to signs of trouble. Since the SEC presumably will determine the strength of corporate culture and the compliance program through what it can glean from publicly available information, it will be especially important for companies to have clearly stated internal compliance programs and to consider making public codes of conduct and other senior management messages about compliance.

Core Elements of an Effective Compliance and Reporting System

With so much now depending on strong and well-implemented internal compliance systems, we recommend that companies periodically and systematically reassess their policies, procedures, and related controls for dealing with possible misconduct.

As a general matter, all such programs should proceed from a core set of principles. Some of these will overlap with, and should be integrated into, existing policies and procedures.

1. Maintenance of high legal and ethical standards. The company complies with applicable laws and regulations of each jurisdiction in which it operates. The company promotes a culture of high ethical standards in addition to legal compliance, and it makes this clear through the behavior of its highest officials who set this tone not just in words but in the actions they take.

2. Responsibility of all employees to assist in the maintenance of high standards. All employees, including management and non-management personnel, are expected to maintain the highest ethical standards, to comply with laws and regulations, to assist the company in its compliance efforts, and to resist any offers, suggestions, or demands from others, whether inside or outside the company, that would result in a violation.

3. Employees encouraged to report suspected misconduct. All employees are encouraged to report suspected misconduct, and the company maintains a clearly articulated process for employees to report potential problems. If the employee does not believe that the reported misconduct has been addressed appropriately, the employee is encouraged to report to higher levels of authority within the company, up to and including the General Counsel, Chief Compliance Officer, or Audit Committee chair. Interestingly, the SEC staff has commented that many of the complaints they are receiving are from employees who first reported internally but believed that their complaints were ignored or not treated seriously.

4. Confidentiality of reporting. The company has a process in place for employees to report suspected misconduct on a confidential basis. If the employee wishes to report confidentially, the company will protect the employee's identity to the maximum extent possible.

5. Retaliation prohibited. No officer, supervisor, or coworker may retaliate, or threaten to retaliate, in any way against an employee who reasonably believes he or she is providing information relating to a possible violation of law and who reports potential or suspected misconduct in a manner permitted by this policy. Employees are trained on the different direct and indirect forms of conduct that may be considered retaliation. Any such retaliation or threatened retaliation should be reported by the employee who receives the threat, and it will be grounds for disciplinary action against the person making the threat, up to and including termination of employment.

6. Commitment to investigate reports of misconduct. The company takes legal compliance seriously and will promptly investigate reports of suspected misconduct that are brought to its attention. In appropriate cases, and upon the advice of counsel, the company will self-report cases of suspected misconduct to appropriate authorities.

7. Recognition that an employee report may benefit the company. The company recognizes that in some circumstances, an employee's reporting of suspected or actual misconduct may result in a benefit to the company, either by preventing continuing or more serious misconduct or putting an end to it. In such circumstances, at the discretion of management, the company may recognize the contribution of the employee through an award or a monetary bonus. In addition, the employee's action will be considered favorably in subsequent performance evaluations.

8. Commitment to training. The company will promulgate its policies and periodically train and retrain employees to ensure their awareness of, and adherence to, these policies.

Maximizing the Opportunity of an SEC Referral

Companies should, of course, maximize the opportunity presented if the SEC permits an internal investigation of a whistleblower complaint made directly to the agency. When presented with such a referral, the company must respond vigorously and appropriately. In order to establish immediate credibility with the SEC, the company must ensure that the investigation will be appropriately independent, thorough, and professional from the outset. This will require the company to evaluate a host of considerations including the credibility of the complaint, the likely complexity of the investigation, the adequacy and experience of internal resources to deal expeditiously with the allegations, whether the retention of independent counsel is warranted, and whether allegations about senior management necessitate early audit committee involvement.

Conclusion

Companies should periodically and consistently reassess how they can effectively encourage internal reporting by whistleblowers and, when necessary, respond to referrals from the SEC. In this regard, a robust and comprehensive compliance program increases the likelihood that the company will have the first opportunity to investigate suspected wrongdoing, regardless of whether the whistleblower has reported it internally or externally.