Regulatory & Compliance

The SEC's New Whistleblower Rules: Changing The Landscape For Compliance And Enforcement

Editor: Please tell us about the new SEC whistleblower bounty program.

Odoner: Regulation 21F, which will take effect August 12, implements the whistleblower bounty program and anti-retaliation provisions mandated by the Dodd-Frank Act. The most controversial aspect of the proposed regulation was its failure to require that corporate whistleblowers report internally before going to the SEC. The final regulation does not require this (as the Commission's divided vote reflects); however, it enhances the incentives for whistleblowers to do so.

Editor: What is the basic framework?

Odoner: An eligible whistleblower must "voluntarily" provide, in accordance with specific rules, "original information" about a violation of the federal securities laws that has occurred, is ongoing or is about to occur and that ultimately "leads to successful enforcement action" in which the SEC collects more than $1 million. The whistleblower may receive a cash award ranging from 10-30 percent of the monetary sanctions collected by the SEC. He or she also may receive an award based on monetary sanctions collected by other authorities in a "related action," including a federal criminal prosecution brought by the Department of Justice.

Until now the SEC could only offer financial incentives for tips relating to insider trading. The new program provides bounties for information relating to any violation of the federal securities laws, including the provisions of the Foreign Corrupt Practices Act enforceable by the SEC. Aspiring whistleblowers may be enticed by recent SEC settlements in FCPA, insider trading, fraudulent financial reporting and other matters in which those involved have paid very sizeable sums.

Editor: Who may be a whistleblower, and against whom may a whistle be blown?

Odoner: A whistleblower must be an individual. He or she may remain anonymous but, if so, must act through an attorney. A whistleblower may even have culpability (this will be factored into the award). Exclusions apply to attorneys, auditors and persons performing a compliance function. However, the carve-outs from these exclusions may, in the view of one dissenting commissioner, "swallow the rule."

A whistle may be blown against an individual or entity - in the latter case, regardless of whether public or private and whether or not regulated by the SEC. The focal point is whether a plausible allegation is made that the person or entity has violated, is violating or is about to violate any provision of the federal securities laws.

Editor: You mentioned that internal reporting will be incentivized but not required.

Odoner: Critics fear the rules will undermine the effectiveness of corporate compliance programs - ironically defeating a key goal of the Sarbanes-Oxley Act. Commissioners who voted to adopt the rules stressed the incentives for whistleblowers to report internally first: (1) the whistleblower's "place in line" for an award will be preserved for 120 days after reporting it internally; (2) all information subsequently reported by the company to the SEC following an internal investigation will be attributed to the whistleblower; and (3) the SEC will give "credit" for internal reporting when determining the amount of an award.

Editor: Please discuss the anti-retaliation provisions.

Dinkoff: The anti-retaliation provisions - which are enforceable by the SEC as well as by aggrieved whistleblowers - are broader in scope than the bounty provisions. They apply even if a complaint does not result in a Commission enforcement action or the whistleblower ultimately fails to receive an award. They apply even if the whistleblower never reports to the Commission but makes statements that are "required or protected" under Sarbanes-Oxley, the Exchange Act or any other law, rule or regulation subject to the jurisdiction of the SEC.

To be protected, the whistleblower need only have had a "reasonable belief" that the information he or she has provided related to a possible violation of the applicable law. Employers are prohibited from taking a wide range of adverse actions - discharging, demoting, suspending, threatening, harassing or discriminating in any other manner.

Whistleblowers are likely to bring claims for retaliation under Dodd-Frank rather than Sarbanes-Oxley. First, they may sue directly in federal district court without filing first with the Department of Labor. Second, they are entitled to twice the amount of back pay otherwise owed, as opposed to only back pay. Third, the statute of limitations is considerably longer: suit must be brought within six years of the violation, or three years from when material facts are known or reasonably should have been known (but not longer than ten years from the violation).

Editor:Who will administer the new rules and what is happening so far?

Bartholomew: The SEC's new Office of the Whistleblower, residing within the Division of Enforcement, will be in charge. The SEC announced on May 25 that initial staffing and funding have been completed.On May 26, the director of the Division of Enforcement was quoted as saying that since Dodd-Frank's adoption, there has been an "uptick" but not a "flood" in tips, and the quality has improved.

Editor: What are the SEC enforcement implications of the new rules?

Bartholomew: Companies will need to be prepared for a range of possible enforcement scenarios: (1) the whistleblower complains to the company but takes advantage of the 120-day lookback and does not go immediately to the SEC; (2) the whistleblower complains to the company and the SEC simultaneously; or (3) the whistleblower complains to the SEC without notifying the company.

Historically, when it has received tips and complaints, the Enforcement staff generally has given companies the opportunity to investigate and report back and has evaluated their actions under the Seaboard factors. The Enforcement staff has suggested that this approach will continue. However, questions undoubtedly will arise in practice (for example, will the SEC defer to a whistleblower's demand that the SEC not bring a matter to the company's attention because the whistleblower fears his or her identity will be revealed?).Moreover, the Enforcement staff will have wide latitude in administering the program. In determining whether to follow its general approach in a particular case, the staff may consider information it has concerning the nature of the alleged conduct, the level at which the conduct allegedly occurred, the company's existing culture and the company's internal compliance programs, including what role, if any, internal compliance had in bringing the information to management's or the SEC's attention.

Editor: What are the implications of the 120-day lookback?

Bartholomew: Even if the whistleblower brings a complaint to the company first, the company faces an uncertain process. Since it must assume that the whistleblower will go to the SEC by the 120th day, the company must act expeditiously to determine whether the complaint is meritorious. If the complaint appears to have merit, it will generally make strategic sense to alert the SEC before the 120-day clock expires.

There are many nuances to this issue, however, including when to make the initial report and whether to make it when the initial inquiry shows the allegation to be unmeritorious. There will be many situations in which a company, on day 120, has not been able to make any definitive conclusions about the allegations yet believes the issues are serious and credible. In this circumstance, there is a strong argument that the company should make some disclosure to the SEC, with the caveat that the investigation is ongoing. In all events, the company should fully document the nature and scope of its investigation and the involvement, where appropriate, of the audit or other appropriate board committee or the full board.

Editor: What can companies do now?

Odoner/Bartholomew/Dinkoff: We have the following suggestions:

• Reexamine existing whistleblower policies and procedures to ensure that they emphasize the value the company places on employees coming forward with concerns and that the policies and procedures are easy to understand and follow. While there is no requirement that whistleblower policies refer to the bounty program, companies should be aware of the proliferation of ads from plaintiff's attorneys and be prepared to answer questions about the program from their employees. In doing so, it is appropriate to mention the incentives for internal reporting, but care must be taken to avoid - expressly or implicitly - discouraging individuals from reporting directly to the SEC.

• Review and strengthen existing procedures to prevent retaliation or the appearance of retaliation. Any performance management or disciplinary action against a whistleblower should be reviewed first by HR and legal.

• Review and strengthen existing procedures for logging, evaluating, investigating, signing off and, where appropriate, responding to complainants on the disposition of complaints. Do not apply a "materiality" filter in assessing the merits of a particular employee complaint regarding a possible federal securities law violation, and be careful when dismissing as a potential whistleblower complaint one that may appear to more clearly implicate HR or other concerns unrelated to the federal securities laws.

• Take a holistic approach to internal compliance under the oversight of the board. In addition to re-evaluating complaint procedures, re-evaluate underlying compliance programs in important areas such as FCPA that can be the substance of complaints. Conduct reviews at regular intervals, reporting the results to the appropriate board committee or the full board.

• Consider "cultural measures" to encourage internal reporting, such as thorough investigation of complaints to demonstrate commitment to a strong compliance program; the appointment of a chief compliance officer with a straight or dotted line to the audit or other appropriate board committee or the full board; regular communication with and meaningful training for employees about internal compliance policies and procedures and complaint mechanisms (including, for supervisors, how to address concerns); and continual enhancement of the "tone at the top."

Editor: Do you have any final thoughts for our readers?

Odoner/Bartholomew/Dinkoff: New Regulation 21F is likely to change the landscape for corporate compliance programs as well as SEC enforcement matters. It creates an environment in which any employee or other individual who believes he or she has knowledge about a possible federal securities law violation is highly motivated to report the information to the SEC - and the SEC is highly energized to pursue it. In this environment, we believe the most constructive approach is for a company (under the oversight of the audit or other appropriate board committee or the full board) to ensure that it has in place robust internal compliance and audit procedures that are designed to uncover potential wrongdoing and, where it is found, to promptly address and remediate it. Where the company learns of credible allegations of misconduct from a whistleblower, it must protect the whistleblower from retaliation, immediately investigate the allegations and, where they are credible, consider whether and when to report to the SEC. Finally, the whistleblower rules create yet another incentive for boards of directors, CEOs and other members of top management to make clear - through their conduct and communications - that they take compliance seriously and are subject to the same requirements as all employees.

Published .