On November 3, 2010, the U.S. Securities and Exchange Commission ("SEC") issued proposed rules for implementing the whistleblower program established by Section 922 of the Dodd-Frank Wall Street Reform and Consumer Protection Act ("Dodd-Frank Act"). Under the program, eligible whistleblowers who voluntarily provide the SEC with original information regarding a violation of the securities laws or the Foreign Corrupt Practices Act ("FCPA") may receive a bounty of a minimum of 10% and a maximum of 30% of the penalties received, if the penalties exceed $1,000,000. Because whistleblowers now have considerable financial motivation to report potential violations to the SEC, companies face a significantly increased risk of investigations into their business and accounting practices. The SEC has reported that it already is receiving numerous reports under the whistleblower program. In light of this, companies should review their corporate compliance programs and internal controls to determine if improvements can be made. This alert discusses the proposed rules and what you can do to prepare your company for them.

Competing SEC and Corporate Interests

Through the proposed rules, the SEC attempts to address the inherent tension between encouraging whistleblowers to report to the SEC and not undermining internal corporate compliance systems. In an effort to strike a balance between these competing interests, the proposed rules start with a broad definition of whistleblower and then exclude certain classes of individuals from eligibility in the bounty program. A "whistleblower" is "an individual who, alone or jointly with others, provides information to the [SEC] relating to a potential violation of the securities laws." To qualify as a whistleblower, the information provided must be original information derived through independent knowledge, not public sources.

The proposed rules exclude several persons from being eligible to receive bounties, including:

  • those who receive information subject to the attorney-client privilege;
  • attorneys and auditors who learn of potential violations as a result of professional engagements;
  • "bandwagon" whistleblowers (those who come forward only after receiving a formal or informal request for information);
  • those who obtain information in a manner that violates the law;
  • persons who are governmental or law enforcement personnel;
  • persons convicted of a criminal violation related to the SEC action (although other culpable whistleblowers still qualify for bounties, and the SEC is seeking comment on that issue); and
  • persons with legal, compliance, audit, supervisory, or governance responsibilities who learn of information under an expectation that they would cause the company to respond appropriately (unless the entity does not disclose the information within a reasonable time or proceeds in bad faith).

Notably, the proposed regulations contain a caveat with respect to this last group that creates a potential time-bomb within a corporation that does not self-report. If the company does not self-report in a "reasonable" time or proceeds in bad faith, any knowledgeable compliance person -- even those who only find out about the violation as a result of their compliance duties -- can report the matter to the SEC after a "reasonable" time expires and obtain a bounty. The SEC declined to provide a definition for what may constitute a "reasonable" time.

Proposed Procedures for Whistleblower Filings

In addition to further defining eligibility for the bounty program, the proposed rules delineate the procedures for whistleblower bounty claims.

Submitting Original Information to the SEC

The proposed rules provide step-by-step procedures for whistleblowers to follow when submitting information to the SEC. This includes submission through the SEC's website or through proposed standardized forms.

The commentary to the proposed rules recognizes that the ease of reporting information, along with the potential for significant bounties, could encourage unfounded submissions. Thus, the proposed rules include measures to protect against the submission of false information. First, a whistleblower must declare under penalty of perjury that the information in the intake form is true, correct, and complete, and that the whistleblower understands he or she is subject to prosecution if the information was submitted knowing it was false, fictitious, or fraudulent. Second, if a whistleblower chooses to submit information anonymously, the whistleblower must be represented by an attorney, who in turn, must certify the whistleblower's identity and retain the whistleblower's original, signed form.

Submitting Claims for Monetary Awards

Under the proposed rules, whistleblowers must file a standardized form to claim monetary awards under the bounty program. After the SEC completes its investigation and final judgment is entered, if the action results in monetary sanctions exceeding $1 million, the SEC's Whistleblower Office will publish a "Notice of a Covered Action" on the SEC's website. Once this notice is published, the whistleblower will have 60 days to file a claim for monetary award. If the whistleblower fails to file this claim within 60 days, the whistleblower waives his or her right to any monetary award. A whistleblower who submitted information anonymously must disclose his or her identify to the SEC at this time, although the identity of the whistleblower may have to have been disclosed earlier in the enforcement process. The SEC considers whistleblower identity information confidential and exempt from the provisions of the Freedom of Information Act.

Appeals

Under the proposed rules, a whistleblower may appeal the SEC's decisions regarding whether to make an award and to whom to make an award. Appeals are filed with the U.S. Court of Appeals for the District of Columbia Circuit or the U.S. Court of Appeals for the circuit in which the whistleblower resides. A whistleblower may not appeal the amount of an award so long as it is within 10 to 30 percent of the total monetary sanctions collected.

Increased Protection from Retaliation

The Dodd-Frank Act also prohibits employers from retaliating against whistleblowers and provides whistleblowers with a private cause of action for retaliation. Under the proposed rules, the anti-retaliation provisions apply to whistleblowers regardless of whether the whistleblowers qualify for bounties. In addition, the proposed rules state that "[n]o person may take any action to impede a whistleblower from communicating directly with the [SEC] staff about a potential securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications." Although the proposed rules do not elaborate on the actual anti-retaliation requirements, the SEC is seeking comment on whether it should promulgate rules on these provisions.

Practical Considerations and Company Best Practices

In light of the financial bounties available to whistleblowers, companies should evaluate their internal controls over financial reporting, their internal audit function, and their legal and regulatory compliance programs relating to federal securities laws, including the FCPA. While most companies have these compliance measures in place, given the potential for increased whistleblower reporting, companies should consider revisiting their measures for any gaps and areas of improvement. A strong program of internal controls, internal audit, and regulatory compliance, with robust FCPA controls, could minimize the occurrence of violations.

Internal Controls, Internal Audit Function, and Compliance Personnel

Although there is no "one-size-fits-all" approach for improving compliance programs, many companies would benefit from more proactive procedures. Companies should consider reviewing their internal audit function; their compensation systems; their reporting structure; their contracting policies and procedures in foreign countries; the staffing sufficiency, qualifications and expertise of their accounting and financial reporting personnel; and the staffing, authority, compensation, and reporting structure of their regulatory compliance personnel. With dedicated personnel knowledgeable of securities laws, accounting principles, internal controls, auditing procedures, and regulatory requirements, companies can decrease the likelihood of a violation occurring in the first place.

Because persons who discover violations or obtain information through their compliance job duties generally are ineligible for bounties under the proposed rules, companies would not need to be concerned about these persons reporting to the SEC for personal financial gain (unless the company ignores the information and fails to self-report to the SEC in a timely manner). Companies therefore would have the opportunity to resolve and address issues internally.

Internal Employee Reporting Procedures

The proposed rules encourage employees to report within their companies by making doing so a positive factor in setting bounty award levels. The SEC also assesses the effectiveness of the company's internal reporting system in determining the amount of the penalty.

Companies should provide employees with an easy to use internal system for reporting potential violations. Failure to do so could encourage employees to instead report directly to the SEC. Most companies already utilize internal reporting tools such as hotlines, anonymous drop boxes, open door policies, and designated compliance personnel; however, companies should reevaluate whether their system actually encourages employees to report internally. One way of doing so includes communicating that the company will not take any adverse action against persons who report information. Companies also may consider offering rewards or incentives for internal reporting. Although a company cannot prohibit or discourage employees from reporting to the SEC, offering incentives for internal reporting could promote a positive culture in which reports are made to the company first, rather than directly to the SEC. In addition, some companies may consider adding Sarbanes-Oxley Section 302 sub-certifications for each periodic report to require employees to either make the report or submit a false sub-certification.

As a practical matter, internal whistleblower programs should be staffed and supported to ensure that all complaints are properly reviewed by appropriate personnel. Although there is no standard approach to handling internal complaints -- and indeed the privacy laws in certain jurisdictions require different approaches to employee hotlines -- establishing a process for handling and reasonably investigating these complaints will demonstrate a company's good faith. If the company self-reports, these efforts could mitigate potential sanctions. Properly run, internal whistleblower programs also can demonstrate the company's attention to employee concerns and encourage employees to report internally instead of directly to the SEC.

Anti-Retaliation Policies and Best Practices

It also is important for companies to maintain a strong anti-retaliation policy and to communicate that policy to employees. Management should confer with legal counsel before taking any adverse action against an employee who is either known or suspected to be a whistleblower. Additionally, because employees may file retaliation claims under the Dodd-Frank Act up to ten years after the alleged event, companies should document all employment decisions and maintain the documentation for at least ten years. Otherwise, a company could be left without evidence to defend itself because witnesses can easily forget events or leave the company within ten years.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.