05.26.2011

|

Updates

On May 25, 2011, in a 3-2 vote, the U.S. Securities and Exchange Commission (“SEC”) adopted its final rules (“Rules”), as required under Section 922 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act” or the “Act”).  The Rules implement the SEC’s hotly anticipated new whistleblower bounty program that rewards individuals who provide the SEC with information leading to successful enforcement actions that exceed $1 million in monetary sanctions.  Eligible whistleblowers can earn a payout of 10% to 30% of any monetary sanctions collected because of the tipster's information. 

The Rules largely mirror the SEC’s whistleblower rules proposed in November 2010.  However, the Rules reject the internal reporting mandates for which corporations had so aggressively advocated.  Instead, the Rules attempt to encourage internal reporting using measures that preserve an employee’s whistleblower eligibility if he or she first reports wrongdoing to the company, and the company subsequently reports the information to the SEC.  The Rules also create a “look back” period to allow whistleblowers to hold their “place in line” if they first report their concerns internally to the company—provided the whistleblower subsequently reports that same tip to the SEC within 120 days.  The SEC will also consider higher percentage bounty awards for tipsters who report potential violations internally before turning to the SEC.

Despite the added incentives geared toward internal reporting, the Rules remain fraught with provisions that could potentially undermine internal compliance programs.  For instance:

  • Employees who deal with internal compliance and audit functions are eligible to become whistleblowers if the company fails to disclose allegations of wrongdoing to the SEC within 120 days after receiving notice of the misconduct. 
  • The Rules effectively create a 120-day “reasonable timeframe” for companies to address internal whistleblower reports even though such tips often implicate complex fraud schemes that require a significant amount of time to investigate and corroborate. 
  • The Rules authorize SEC staff to communicate directly with whistleblowers who are directors, officers, members, agents, or employees of an entity that has counsel, if the whistleblower initiated communications with the SEC.

Under the new reporting landscape created by the Rules, companies will have to take proactive measures to ensure the effectiveness of internal compliance programs.  This update analyzes the key provisions of the Rules and provides guidance to help companies ensure effective compliance with them. 

Key Criteria for Dodd-Frank Whistleblower Bounty Eligibility 

To earn a whistleblower bounty, a tipster must voluntarily provide “original information” about a possible federal securities law violation that has occurred, is ongoing, or is about to occur.  The Rules require this original information to be based on the whistleblower’s independent knowledge or analysis and not on information that has already been provided to the SEC by another source—unless the whistleblower is the original source of the information (i.e., if the whistleblower first reports wrongdoing to the company and the company subsequently reports the information to the SEC). 

Consistent with the recently amended language of the Federal False Claims Act, a Dodd-Frank Act whistleblower is not required to have direct, firsthand knowledge of possible violations.  Knowledge may be obtained from any of the whistleblower’s independent experiences, communications and observations in business or social interactions, which can include information obtained from a third party.  However, information cannot be exclusively derived from:

    • an allegation made in a judicial or administrative hearing, 
    • an allegation made in a governmental report, hearing, audit or investigation, or
    • allegations made by the news media.

Additionally, information that is deemed by a U.S. court to have been obtained in violation of applicable federal or state criminal law will not be eligible for the reward.

Information from Attorney-Client Communications or Legal Representation Is Ineligible

In response to public comments concerning the importance of safeguarding the attorney-client privilege, the Rules exclude from “original information” any information protected by the attorney-client privilege, as well as any information obtained in connection with the legal representation of a client on whose behalf an individual (or the individual’s employer or firm) is providing services, unless disclosure by that attorney would otherwise be permitted under applicable state bar ethics rules (e.g., by waiver, where an attorney believes disclosure is necessary to prevent a crime or fraud that would cause substantial injury, to prevent perjury, etc.).  This exclusion also applies to attorneys who work in-house for an entity and provide legal services in that capacity, as well as external lawyers retained by a company.

Exception to Exclusion for Whistleblowers With Internal Compliance Duties

During the SEC’s public commentary period on the proposed whistleblower rules, groups of employers and other professional organizations voiced concerns that the proposed rules could undermine internal reporting systems and potentially provide a windfall to employees involved in the very conduct they are reporting.  In response, the Rules provide that certain information will not be deemed original if it is obtained in connection with the performance of internal compliance or internal auditing duties, subject to a few critical exceptions.

As adopted, the Rules exclude from award eligibility information that a whistleblower learned in connection with internal compliance processes, or was informed about as an allegation of misconduct by virtue of the tipster’s position as an officer, director, trustee or partner of an entity.  This provision is not intended to generally bar officers and other designated persons from acting as whistleblowers.  Similarly, award eligibility is excluded for information that is obtained from an employee (either in-house or external) whose duties involve compliance or internal audit responsibilities for the company; in connection with a firm conducting an inquiry or investigation into possible violations of law; or by a public accounting firm while it is performing functions that are required under the federal securities laws.

While the Rules provide that certain information will not be deemed original if it is obtained in connection with the performance of internal compliance or internal auditing duties, this exclusion will be lifted if: 

    • the whistleblower reasonably believes that disclosure is necessary to prevent conduct that is likely to cause substantial injury to the financial interest or property of the company or its investors; 
    • the whistleblower has a reasonable belief that the entity is engaging in conduct that will impede an investigation of the misconduct (e.g., document destruction, witness intimidation); or 
    • at least 120 days have elapsed since the whistleblower reported the information to the company’s audit committee, chief legal or compliance officers, or a supervisor.

Defense-side advocates are likely to raise strong objections to the 120-day limit in particular, given that whistleblower tips often implicate complex fraud schemes that require a significant amount of time to investigate and corroborate, especially when they involve conduct in remote and foreign regions—which is frequently the case in allegations relating to the Foreign Corrupt Practices Act.

Notably, these exceptions do not apply to information obtained from attorney-client communications or legal representations, unless disclosure by that attorney would otherwise be permitted under state bar ethics rules or pursuant to the SEC’s attorney conduct rules, which provide that an attorney may reveal confidential information to prevent an issuer from committing a material violation that is likely to cause substantial injury to the financial interest or property of the issuer or investors.  
See 17 C.F.R. § 205.3(d)(2).

Original Information Must Be Provided Voluntarily 

Because original information must be provided voluntarily in order to qualify for the reward, the Rules exclude information that was not provided to the SEC before the would-be whistleblower received a request, inquiry or demand relating to that same information from:  

    • a self-regulatory organization (“SRO”); 
    • the Public Company Accounting Oversight Board (“PCAOB”);
    • Congress, any federal agency or a state attorney general; or 
    • a securities regulatory authority.

Although the draft rules considered requests that were directed to an employer to also be directed to an employee-whistleblower who possessed the requested information, the Rules eliminated that provision.  The SEC also excluded requests from foreign authorities.  However, in cases where the SEC requests the assistance of foreign authorities to obtain documents or information, and the foreign authority forwards a corresponding request to a resident within its jurisdiction, the SEC will treat the request as its own. Any subsequent whistleblower submission on that same subject will not be treated as “voluntary” under the reward program.

Certain Individuals Excluded From Eligibility

Although the Dodd-Frank Act itself defines “whistleblower” very broadly—essentially, any individual (or two or more individuals) who provides original information relating to a potential violation of securities laws, it expressly excludes from eligibility: 

    • members, officers or employees of a regulatory agency, the U.S. Department of Justice(“DOJ”), an SRO, the PCAOB, or a law enforcement organization;  
    • individuals who are convicted of a criminal violation related to the action in question; 
    • individuals who acquired the disclosed information through the performance of a financial statement audit as required under the securities laws. 

In addition, the SEC’s Rules further reduce the pool of eligible whistleblowers by explicitly excluding

    • foreign officials; 
    • family and household residents of SEC employees and members; and 
    • individuals who knowingly and willfully make or use false, fictitious or fraudulent statements in dealings and representations concerning the whistleblower submission.

The Rules do not exclude from eligibility individuals who are culpable or otherwise involved in the reported matter, but the SEC may take those factors into account when determining the award amount (e.g., their role in the violations, whether they acted with scienter, whether they financially benefited from violations, etc.).  Employers and others lobbied to change the SEC’s proposed definition of “whistleblower” to include only individuals who report violations of securities laws by another person and those who did not participate in or facilitate the violations.  The Rules declined to adopt such a blanket exclusion, opting instead to limit (or potentially eliminate) a culpable whistleblower’s financial reward by excluding any fines assessed against the company resulting from misconduct that the whistleblower substantially directed, planned or initiated, for the purpose of determining whether the $1 million threshold for the reward has been met. 

Reporting Provisions Draw Controversy 

During the public comment period on the SEC’s proposed whistleblower rules, a number of employers sought to make compliance with internal reporting procedures a condition of eligibility for the whistleblower award, except where (1) the employer does not have an effective internal compliance program; or (2) the employee can justify exemption by extraordinary circumstances.  While the Rules attempt to incentivize internal reporting, they do not mandate it. 

Instead, the Rules attempt to accommodate the need for effective internal compliance programs by providing that the SEC will consider whether a whistleblower first reported any potential violations through internal procedures when it determines the amount of the whistleblower’s reward.  Under this structure, higher percentage awards may be awarded to whistleblowers who report violations internally before turning to the SEC.

To further discourage employees from bypassing internal compliance programs, the Rules extend the proposed 90-day “grace period” to 120 days so that employees can first report their concerns internally—while still maintaining their “place in line” for an SEC award.  The date of internal disclosure will serve as the effective date of disclosure to the SEC, so long as the employee reports the same information to the SEC within the 120-day period. 

SEC Bypassing Corporate Counsel 

Final Rule 21F authorizes SEC staff to communicate directly with whistleblowers who are directors, officers, members, agents or employees of an entity that has counsel, if the whistleblower initiated communications with the SEC.  A number of organizations—including the American Bar Association's ("ABA") Committee on the Federal Regulation of Securities—objected to the inclusion of such a provision, arguing that the Dodd-Frank Act does not authorize the SEC to bypass professional rules of conduct that prohibit attorneys from contacting a represented party.  However, the SEC asserts that Rule 21F, adopted by the ABA and most state bar organizations, fits within an exception to professional rules of conduct and permits contact with represented parties “where authorized by law.”

Rule 21F also provides that companies cannot take proactive measures to impede whistleblowers from communicating directly with the SEC, such as by enforcing or threatening to enforce a confidentiality agreement, and further prescribes that protective orders entered in SRO proceedings may not be used to prohibit parties from providing the SEC with information about a possible securities law violation. 

Anti-Retaliation Provisions Provide Broad Safeguards for Whistleblowers 

The Dodd-Frank Act creates strong anti-retaliation protections for employee-whistleblowers should they suffer discharge, demotion, suspension, threats, harassment or discrimination because of their reporting.  Aggrieved employee-whistleblowers are provided relief in the form of: 

      • a cause of action in federal district court; 
      • potential relief in the form of reinstatement (with same seniority status); 
      • double back pay with interest, and 
      • reimbursement for litigation fees.

Further, the Southern District of New York in Egan v. TradingScreen, Inc. recently clarified that the Act’s anti-retaliation provisions provide a cause of action to individuals who make disclosures directly to the SEC or under other provisions of the Act that do not require reporting to the SEC as a predicate to filing suit under the anti-retaliation provisions.  The Egan court also held that a whistleblower plaintiff need not personally make disclosures to the SEC; thus, employees cooperating in internal investigations may be “covered employees” under the Act where the results of an investigation are provided to the SEC.

The Rules further clarify that a whistleblower can rely on anti-retaliation protection even when the information she or he provided fails to qualify for the whistleblower reward, provided the whistleblower possessed a reasonable belief at the time of reporting that the information related to a possible securities law violation that occurred, was ongoing or was about to occur.  This “reasonable belief” standard requires a whistleblower to hold a subjectively genuine belief that the information demonstrates a possible violation, and requires this belief to be one that a similarly situated employee might possess.  This standard was included in the Rules to strike a balance between promoting high-quality tips without fear of retaliation, while discouraging bad faith or frivolous reports. 

Looking Forward: Practical Guidance for Post-Act Compliance 

While the Rules enacted by the SEC may present challenges to the effectiveness of internal compliance programs, there are measures companies can take to address these challenges. 

        • Promote the Reporting Program.  Corporations should ensure that their employees and third-party agents are sufficiently informed about the existence of internal reporting programs and procedures.  Such programs should be publicized internally to employees and, where appropriate, externally to third-party agents and contracting partners. 
        • Ensure the Efficient Function of Compliance Programs.  Compliance programs should be streamlined to ensure that allegations of misconduct are assessed in a timely manner by appropriate compliance employees.  While the Rules provide a 120-day window for whistleblowers to report their allegations internally, whistleblowers are by no means obligated to wait this long before turning to the SEC.  Thus, internal compliance programs must be designed around efficient reporting and escalation processes. 
        • Expect and Prepare for Increased Reporting.  First responders, such as whistleblower hotline employees, should be prepared for a possible increase in internally reported complaints and briefed on appropriate procedures for escalating credible allegations. 
        • Make Sure Compliance Programs Are up to Date.  At a minimum, compliance programs are expected to meet the standards of effectiveness pronounced in the U.S. Sentencing Guidelines for Business Organizations; DOJ and SEC policy statements; and major corporate legislation such as the Dodd-Frank Act and Sarbanes-Oxley Act.  International standards, such as those set by the OECD, may be applicable as well. 
        • Do Not Overlook Foreign Laws.  Given the increasing scrutiny of foreign operations of U.S. companies, corporations should consider the applicability of foreign laws when implementing any new measures.  For instance, after Sarbanes-Oxley was enacted, some European countries concluded that certain aspects of anonymous whistleblower hotlines violated their privacy and data protection laws.  Before implementing any new measures, corporations should be sure to assess the applicability of privacy, data protection and other laws in foreign countries where they do business. 
        • Ensure That All Policies Are Harmonized.  Finally, the impact of the Dodd-Frank Act on departments outside of compliance should be assessed.  For example, anti-retaliation policies should be reviewed by human resources departments to ensure that they comply with the broad protections afforded to whistleblowers by both the Act and the Rules.

A copy of the final Rules is available at:  http://www.sec.gov/rules/final/2011/34-64545.pdf

©2011 Perkins Coie LLP


 

Sign up for the latest legal news and insights  >