In August of 2014 the SEC announced a modest whistleblower award of $300,000 to an unnamed company employee "who performed audit and compliance functions and reported wrongdoing to the SEC after the company failed to take action when the employee reported it internally."1

While the amount of the award was not particularly hefty, and was dwarfed by several multi-million dollar whistleblower awards given previously, it carried particular significance to astute observers in the corporate legal, internal audit, and compliance communities. Insiders know that compliance officers and internal auditors, beleaguered and sometimes frustrated as they may be, hold the "keys to the kingdom" when it comes to knowledge of corporate ethical and legal lapses within their companies. Prior to this award, it had generally been thought the SEC would continue to discourage such awards on the rationale that it would not want to encourage employees whose job it was to prevent corporate legal and ethical violations to profit from simply doing their jobs.

Nevertheless, the SEC Press Release contained a rationale for the award that set out what may represent a not-so-subtle change of opinion on the part of the agency. As the Director of the SEC's Office of the Whistleblower, Sean McKessy, stated in the Press Release:

"Individuals who perform internal audit, compliance, and legal functions for companies are on the front lines in the battle against fraud and corruption. They often are privy to the very kinds of specific, timely, and credible information that can prevent an imminent fraud or stop an ongoing one. These individuals may be eligible for an SEC whistleblower award if their companies fail to take appropriate, timely action on information they first reported internally."

It has generally been understood that compliance officers and internal auditors are not permitted to receive whistleblower awards because information they reported to a superior constituting allegations of misconduct was not to be considered "original information" under the Dodd-Frank Act and SEC rules.2

However, even early in the life of the whistleblower law, Mr. McKessy had alluded to the rationale for allowing these professionals to become whistleblowers, under what he then described as "limited" circumstances. In a 2011 speech at Georgetown University, he described the exceptions to the rule against whistleblowing by internal auditors and compliance officers:

"As for compliance and internal auditors, some claim the final rules allow for the possibility of an award to these professionals merely for doing what the company is paying them to do.

But... an employee with compliance or internal auditor responsibilities may only be eligible for a whistleblower award under... limited circumstances; that is if they have a reasonable belief that reporting is necessary to prevent actions that will result in imminent harm or impede an investigation... [A]llowing for the possibility of a whistleblower award under these circumstances does not encourage a breach of their responsibilities – it rewards them for taking those obligations seriously.

[Another] possibility of an award to compliance or internal audit personnel occurs only when more than 120 days have passed since the information was reported to certain officials – including the entity's audit committee, chief legal officer, chief compliance officer or supervisor.

In this case, an award is possible only after these professionals have done what they are paid to do: They reported wrongdoing internally with a view of having it addressed -- – but, for whatever reason, the entity failed to take timely remedial action.

Keeping in mind the ultimate goal to prevent or stop possible violations of the securities laws, I see nothing wrong with incentivizing compliance and internal audit employees to come forward when the internal compliance process has failed" (Italics added).

Mr. McKessy was describing the whistleblower opportunities enabled by the "exceptions" the writers of the SEC Final Rule crafted to narrow the general statutory prohibition against whistleblowing by compliance and internal audit professionals. In the process of drafting the Final Rule, the SEC considered many comments (including several from this writer) arguing that enforcing a general prohibition against compliance and internal audit personnel would deter the very individuals who may be in the best position as insiders to know of illegal activity.

Predictably, corporate interests took the opposite tack, and wanted absolute prohibitions on certain insider whistleblowers. The SEC responded by creating three generous "exceptions" to the general prohibition. As described by the SEC Implementation Release: "If any one of these circumstances is present, a person in one of the designated categories under [the Rule prohibiting whistleblowing] may be eligible for a whistleblower award that is otherwise excluded to that individual..." Id., Fed. Reg. June 13, 2001 at 34318. While these "exceptions" do not exactly "swallow the Rule," they give considerable latitude to a conscientious compliance officer or internal auditor who decides to "cross the Rubicon"3 and become an SEC whistleblower:

The Whistleblower "Exceptions" For Compliance Officers and Internal Auditors

(a) Substantial injury to the financial interests of the company or its investors.

The first exception allows whistleblowing "when the designated person has a reasonable basis to believe that the disclosure of the information to the [SEC] is necessary to prevent the [company] from engaging in conduct that is likely to cause substantial injury to the financial interest or property of the entity or investors."

Lawyers use the term "reasonable" when they have to define something that often cannot be defined precisely. Here, a "reasonable basis" should include anything that could be viewed by a typical compliance officer or internal auditor as knowledge of facts of a fraud, either in the past, ongoing, or potentially possible, the revelation or operation of which could substantially injure the company if exposed, or be allowed to continue to fester unchecked. An ongoing scheme to bribe foreign officials, a recurring "cooking of the books" by false accounting entries, off balance sheet efforts to improve financial results, improper revenue recognition, improper use of reserves, etc., significant insider trading, or any active scheme involving corporate fraud and corruption, or the present cover-up of past fraud, would probably qualify. A one-off event, perhaps in the past, that would not shake the company to its foundation if exposed might not qualify. As beauty is in the eye of the beholder, the "reasonable basis" to disclose would ultimately be in the determination of the SEC. The would-be whistleblower must take the leap of faith going in that his or her basis for disclosure is reasonable under the circumstances and that the SEC will ultimately determine that the information reported merits an investigation ultimately leading to a successful enforcement action.

As the SEC originally described it, the company must be shown to be up to some significant devious behavior:

"For purposes of the [Rule], in order for a whistleblower to claim a reasonable belief that disclosure of information to the Commission is necessary to prevent the [company] from committing substantial harm, we expect that in most cases the whistleblower will need to demonstrate that responsible management or governance personnel at the [company] were aware of the imminent violation and were not taking steps to prevent it. In short, the whistleblower must have a reasonable basis for believing that the entity is about to engage in conduct that is likely to cause substantial injury to the financial interests of the [company] or investors, and that notification to the Commission is necessary to prevent the entity from engaging in that conduct." Id. Fed. Reg. at 34319.

There is clearly a forward-looking thrust to this exception. It would seem that information designed to thwart, expose or otherwise terminate an ongoing or nascent fraud is what the SEC has in mind. It wants information to stop a fraud in its tracks, not necessarily to find out about an "old fraud" that is no longer active. Nevertheless, information about prior activity that could seriously damage the company if revealed, especially if it is being actively concealed by management, could "reasonably" be viewed by the whistleblower as being fair game for a whistleblower submission, particularly if the company was purporting to investigate it but was, in Mr. McKessy's words, "failing to take timely remedial action." This might involve, for example, failure to correct financial results for prior periods that were knowingly materially misstated, or failing to correct or improve internal controls that were known to have failed, or to sanction or remove officers or managers who had committed unethical or illegal acts and were likely, if left unfettered, to commit such acts in the future.4

It is interesting that in the very case in which the recent $300,000 award was made to a compliance officer, the underlying fraudulent activity consisted of insider trading and other violations committed by the former CEO of the company in the past, including trading that was by the time of the SEC action five years old.5 In this case, the whistleblower had reported the information to the company, which apparently did little or nothing about it. After waiting the requisite 120 days (see Exception Three below), the whistleblower reportedly informed the SEC of an internal investigation which amounted to a "whitewash."

So the would-be compliance officer or internal auditor must initially make what may be a difficult judgment call. Is his or her information viable enough to pass the SEC's test of "substantial harm" to the company or investors, if left unreported to the SEC? The whistleblower may not learn until well after the case had been brought whether the SEC will consider him or her a hero or a bum, just out to profit by front-running a legitimate corporate internal investigation.

Presumably, given the considerable career risk such a whistleblower is taking in going to the SEC, that individual will be careful to assemble, through documents or similar credible evidence, hard facts demonstrating that the company is in some respect acting in bad faith, either by ignoring altogether the facts presented to it by the whistleblower or others (the best case scenario), or looking into the matter in a demonstrably half-hearted manner overtly or covertly designed to reduce the chance it will have to report serious illegality to the SEC.

It has long been recognized in the compliance community that the internal culture at some companies pays mere lip service to compliance officers and their work, regardless of what the company's public statements and handbooks may proclaim. Faced with serious allegations of wrongdoing, the internal controls may be lacking, the compliance program inadequate, and the ultimate response clearly inadequate or worse. Fear of release of information that may have a negative impact on financial results or stock price may cause management to stall disclosure or subvert the internal investigation. In the case of an ongoing, unfolding fraud, the failure to respond forcibly should be apparent to insiders. An erstwhile compliance or internal audit person who can fully document and prove such failure (presumably aided by emails, memos, or perhaps corroboration from other employees) should have a strong case for satisfying the first exception.6

(b) Conduct that Impedes the SEC's Investigation

The Second Exception to the prohibition on whistleblowing by compliance and internal audit officers is more straightforward: it applies when "the [whistleblower] has a reasonable basis to believe that the [company] is engaging in conduct that will impede an investigation of the misconduct." This could include "destroying documents, improperly influencing witnesses, or engaging in other improper conduct that may hinder [the SEC's] investigation." Id., Fed. Reg. June 13, 2011 at 34319.

Of course, this is the "smoking gun" kind of activity that can quickly sink a company if it occurs and is ultimately uncovered. As dumb as such conduct would seem in the current enforcement climate, it still occurs, and once discovered will surely elevate the SEC's prosecutorial adrenaline. The evidence is, of course, often more complicated and incomplete. Management in self-protection mode can find various ways to intimidate witnesses into keeping quiet or altering their recollection just enough to muddle or conceal the facts. A company can appear to be taking swift and decisive action by singling out a few scapegoats for harsh treatment while knowing or having good reason to know that the illegal activity is likely more widespread. An internal investigation can be "slow-walked" to cause the SEC to lose interest or the company to lose key documents. A company can bury incriminating documents among thousands of pages of junk to overwhelm the limited staff resources of the SEC (a favorite trick in the old days of paper production, and one that can be even more effective if a bad email or two are part of a disc containing a million other garbage documents).

Here again the compliance officer or internal auditor may well see this happening in real time. A supervisor, for example, may announce that the investigation is being truncated or limited in some fashion which may appear reasonable to an over-worked SEC lawyer but in reality is carefully designed to take the SEC staff down a blind alley or leave untouched a area of inquiry the company desires to avoid. A key former employee who knows where "the bodies are buried" can be left undisturbed in his Florida retirement cocoon while other more company-friendly witnesses are produced to the SEC. If the higher-ups indicate, indirectly, or through subordinates, their desire for the investigation to reach a certain conclusion that skirts the truth, the compliance officer may see it better than anyone else. I would suggest this second exception is designed to cover all these situations. Again, the key is for the whistleblower to come to SEC with hard evidence, not just suspicions or what amounts to little more than water cooler gossip or undocumented conversations with superiors.

(c) The 120-Day Wait

The third exception, as written, is a convoluted piece of work to be sure, but in the end may be the most powerful of the three. In short, if the compliance office or internal auditor has provided information of a violation to his superiors, or he or she has received such information "under circumstances indicting that the entity's audit committee, chief legal officer, chief compliance office (or their equivalents), or his or her supervisor was already aware of the information", and he or she waits 120 days since these events have occurred to contact the SEC, that person can become a whistleblower. The SEC felt it necessary to adopt "an exception that will permit a person in one of these designated categories to become a whistleblower after a fixed period." Id. Fed. Reg. June 13, 2011 at 34319.

The SEC was concerned that a compliance officer, for example, should not be able to receive information of a violation, sit on it for four months telling no one else, then run to the SEC. This provision prohibits such chicanery. Rather, if the information is provided to the superiors and they either ignore it, or act on it slowly, the compliance officer or internal auditor can act after four months and go directly to the SEC with the same information, and qualify as a whistleblower. Even if the would-be whistleblower did not personally report the information up in the organization, he or she can still act on it after 120 days if they have good reason to believe under the circumstances that superiors have been aware of it for at least that long themselves.

This was the provision cited by the SEC to justify the recent $300,000 award.7 This exception is quite clear and unforgiving, the proverbial 400 pound gorilla in the C Suite. Henceforth, companies that sit on problematic information for more than four months without reporting it to the SEC have to be concerned that someone down below may be counting the calendar for the magic moment when he or she is free to run to the SEC and report the bad news.

Why 120 days? No one outside the SEC knows. Four months goes by quickly in a big organization. The SEC was careful to add that it did not intend to suggest that companies have only a "120-day 'grace period' for determining their response to the violations." Id. But then the SEC Implementation Release immediately reminded its audience that "when considering whether and to what extent to grant leniency to entities for cooperating in our investigations and related enforcement actions, the promptness with which entities voluntarily self-report their misconduct to the public, to regulatory agencies, and to self-regulatory organizations is an important factor." Id.

Further complicating the guidance, the SEC added that the rule "is not intended to, and does not, create any new or special duties of disclosure on entities to report violations or possible violations of law to the Commission or to other entities." Likewise, the SEC states that it does not intend to suggest that an internal investigation "should in all cases be completed before an entity elects to self-report violations, or that 120 days is intended as an implicit 'deadline' for such an investigation." This is comforting, for rarely can a legitimate investigation of such matters be completed in just four months. Moreover, the SEC advises that the "staff may receive such information and agree to await further results of the internal investigation before deciding its own investigative course." Id. This is a big nudge to the company to tell the SEC something within 120 days, if only that it is undertaking a thorough internal investigation of the matter.

This SEC guidance reminds me of the fifth grade teacher who once told our class: "I know someone did this bad thing [fill in the blank from your experience] and I am giving you until the end of recess to tell me who did it." As I read it, the company better tell the SEC something in the first 120 days or it runs the real risk the whistleblower will be in the teacher's office before or immediately after the end of recess. But this guidance also puts an added burden on the would-be whistleblower: if he or she relies exclusively on this third exception and waits 120 days to go in, the company may report first, even if to say little more than it has an indication of a problem and will conduct a "thorough investigation" which may take months. Given this quandary, the compliance/internal audit whistleblower may consider going right in before 120 days run, if he or she feels they have a strong case for eligibility under either or both of the first two exceptions, which have no waiting period. In this sceanario, I would suggest consulting an attorney for guidance. An attorney will be necessary anyway if the whistleblower decides to remain anonymous.

Perhaps the answer lies in how the putative whistleblower perceives the company's good faith. If he or she truly believes the company is doing the right thing, even if it is getting into the matter more slowly that the whistleblower thinks appropriate, and there is as yet no hard evidence or obstruction or imminent harm to investors, then the 120 day wait may be a safer course. After all, exception three does not require any specific evidence of obstruction of the SEC's investigation or grave harm to the financial well being of the company, it only requires a four month wait to report any activity which may be questionable.

If the company at least appears to be undertaking an internal investigation in good faith, the compliance officer or internal auditor who knocks on the SEC's door on day 121 has used exception three correctly but still should have solid evidence of a failed or failing internal investigation, if not outright obstruction or continuing known fraud. If the whistleblower has nothing approaching this, he or she runs the risk of being labeled by the SEC staff, fairly or not, as a "front-runner" cravenly looking for a big whistleblower award. Presumably, unless such evidence is in hand, it would be highly unlikely a rational actor would risk his or her career on what could amount to a long shot. Conversely, if there is solid, even if not yet conclusive, evidence that the company is not approaching the investigation with vigor, and may in fact be deliberately trying to avoid the bad stuff while claiming full cooperation (or not reporting anything), then the 120 day wait may be time enough to assemble facts sufficient to persuade the SEC that the whistleblower has acted responsibly and could be in line for an award if the matter turns into a qualifying enforcement action.

(d) In the Immortal Words of Spike Lee, "Do the Right Thing."

The SEC increasingly relies on reporting companies to virtually police themselves in many instances. If a company pledges "full cooperation" and undertakes what only appears to be a full-throated internal investigation, it may be near impossible for an SEC staff lawyer to figure out he or she is being played by skillful company managers, who have a big stake in seeing the company sail through the storm. If a lonely compliance officer or internal auditor sees the emperor is wearing no clothes, he or she has a tough choice to make: leave it alone or go to the SEC with the real facts. These are gut wrenching personal decisions of enormous consequence, perhaps made around the dinner table with only their partners to consult, and with a career on the line.

If the decision is to go in to the SEC, then Ralph Waldo Emerson's old adage comes to mind: "Never strike a king unless you are sure you shall kill him." Your case must be documented thoroughly. If you are aware of insiders who will tell the truth if asked by the SEC, you have to be prepared to name them. You may need to copy and produce documents you are not supposed to disclose. The retaliation provisions of Dodd-Frank may in theory protect you, but you can't count on it (especially if you are acting from abroad). Even going in as an anonymous whistleblower through a lawyer gives no guarantee someone in the company won't figure out the source.

In the final analysis, however, the real job of a compliance officer is not just training employees to know the FCPA or any of the myriad of laws and regulations that now govern corporate conduct, but doing his or her absolute best to help them comply with the law, and to identify the cases when they fail. An internal auditor is charged with making his or her investigations and reports, but not administering punishment. But the presumption in each case is that the company will take your work seriously and take action to correct and if necessary report the problem to regulatory authorities.

If this does not happen, or the company displays either a lack of good faith or competence in undertaking its end of the bargain, you may have to undertake corrective action, however unpleasant or personally risky. In truth, you owe this to the company, its vast majority of honest employees, and its investors. If certain people in the corporate structure are blind to the "bet the company" risk in ignoring or covering up wrongdoing, your jobis to insure that philosophy does not prevail. I suggest with respect that that duty should remain foremost in the personal decision as to whether and when a compliance officer or internal auditor should, if the situation demands and the law allows, become a whistleblower.


1. SEC Press Release, August 29, 2014.

2. CFR Sec. 240.21F-4(b) states that "[a]n employee whose principal duties involve compliance or internal audit responsibilities, or [who was] employed by or otherwise associated with a firm retained to perform compliance or internal audit functions for an entity" will not be considered sources of original information. See Federal Register, June 13, 2011 at 34318 (SEC Final Rule Implementation Release): "For example, a compliance officer is subject to the rule whether he or she learns about possible violations in the course of a compliance review or another employee reports the information to the compliance officer."

3. According to Wikipedia, "the idiom 'Crossing the Rubicon' means to pass a point of no return, and refers to Julius Caesar's army's crossing of the river in 49 BC, which was considered an act of insurrection." This may well describe the actions of a whistleblowing compliance officer or internal auditor, at least in the eyes of their employer.

4. The information provided might involve a case already under investigation by the SEC and involve the concealment from current investors of the damaging fact of that ongoing investigation. As described by Gretchen Mortenson recently in the New York Times, a whistleblower who was a marketing manager of a hedge fund learned of an investigation of the fund by the SEC and wanted to disclose this to prospective investors but was told by her superiors not to disclose anything until the SEC investigation was resolved. She refused and was fired. "Hedge Fund Kept U.S. Inquiry Quiet," New York Times, Dec. 7, 2014, p.5 (Business).

5. See SEC Litigation Release No. 22790, SEC v. Phillip J. DeZwirek, Sept. 3, 2013.

6. A striking recent example of such a culture is vividly provided in Matt Taibbi's recent expose' "The $9 Billion Dollar Witness: Meet JP Morgan Chase's Worst Nightmare," the story of in-house securities lawyer at the firm who ran into a massive brick wall in attempting to expose a massive securities fraud in the bank's mortgage operations. Rolling Stone, Nov. 6, 2014.

7. "Order Determining Whistleblower Award Claim", Securities and Exchange Commission Whistleblower Award Proceeding, File No. 2014-9, August 29, 2014.

Daniel J. Hurson is former Assistant Chief Litigation Counsel at the SEC and a former federal prosecutor. He practices securities enforcement defense in Washington, D.C., and represents SEC whistleblowers. His email is His website is

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.