On May 25, 2011 the SEC adopted by a 3-2 vote controversial new rules implementing the whistleblower provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the Act). Broadly, the rules provide that whistleblowers who provide original information to the SEC that results in civil or criminal proceedings and sanctions exceeding $1 million may be entitled to a bounty of 10 percent to 30 percent of the recovery.
The response of the business community to the new rules has been swift and virtually unanimous. Commentators have observed that by permitting whistleblowers to report suspected violations to the SEC without first reporting them to a company’s internal compliance function, the rules will impair the effectiveness of compliance programs and increase companies’ financial and legal liability. They have also noted that the SEC’s objective for the rules (among others) was to encourage employees to report possible violations internally. The new rules, they say, provide the opposite incentive.
Time will tell whether the rules will fundamentally reshape the compliance landscape. Thus far, the rules have not demonstrated the impact that many predicted. According to SEC spokesman John Nester, the number of tips has not increased but the quality has improved. The phenomenon suggests that tips are coming from higher-level employees with greater access to facts underlying potential violations of the securities laws.
Despite the increase of legitimate tips, the SEC may not be able to aggressively investigate them. On June 23, 2011, the House Appropriations Committee rejected the SEC’s increased budget proposal for fiscal year 2012 beginning October 1 and instead voted to level fund the agency. The vote was a significant blow – the SEC requested the additional funds in order to perform its increased responsibilities under the Act. It is unclear how effectively the SEC will be able to investigate tips under the rules, at least for the next fiscal year.
Budget restrictions aside, companies must still take steps to try to limit the number of possible whistleblowers and, through modifications to existing compliance programs, reduce the risk of being blindsided by an SEC investigation.
Strategies for Reducing Whistleblower Risk
Companies may use their legal function to limit the number of eligible whistleblowers. Rule 21F-4(b)(4) precludes the SEC from making an award to a whistleblower whose information was obtained: (i) through a communication that was subject to the attorney-client privilege; or (ii) in connection with the legal representation of a client on whose behalf the individual or the individual’s lawyer or firm are providing services, unless disclosure of that information would otherwise be permitted by an attorney pursuant to SEC Standards of Professional Conduct, applicable state attorney conduct rules, or otherwise. The exclusion applies to all attorneys – both in-house and outside counsel.
Companies should consider – for the purpose of ensuring compliance with the securities laws – broadening the involvement of counsel in financial reporting and other issues. Further, once a company is on notice of a possible violation, it may use counsel as the conduit to collect facts and report them to a board or special committee. The recipients of that information should be ineligible for a bounty.
Rule 21F-4(b)(4)(iii) also precludes awards to potential whistleblowers who obtain information because they were: (A) directors or officers who learn of information in connection with processes for identifying or reporting violations; (B) internal compliance or audit employees; or (C) persons employed to conduct an inquiry or investigation into violations of law. The exclusion of these categories from an award is not ironclad. Whistleblowers are eligible for a bounty if they believe that disclosure is necessary to prevent substantial injury to the financial interest of the company, or that the company is engaging in conduct that will impede an investigation, or 120 days have elapsed since the whistleblower reported the information to internal functions or a supervisor. However, none of the exceptions apply if any of these categories of whistleblower obtained their information from a privileged source.
In light of the potential payout, companies cannot realistically disincentivize employees – particularly opportunistic ones – from reporting possible violations to the SEC. However, by modifying their compliance programs to maximize the likelihood of internal reporting, a company can at least have notice of an impending (or actual) disclosure and take appropriate investigative and remedial measures. An effective program should ensure that an employee having made an allegation knows that the company is acting on it. Among other things, the employee should have an open and anonymous line to the company’s compliance function in order to obtain progress reports (consistent with the need to preserve confidentiality) and be a resource for additional information. Giving an employee “ownership” of his allegation may not preclude a disclosure to the SEC, but it may ensure continued cooperation and permit a proactive response by the company.
Finally, companies should determine whether they have adequate insurance. Most companies already have D&O coverage but they should ensure that the costs of internal or SEC investigations are covered. While such policies are expensive, companies may be able to negotiate policy discounts if they take steps to improve their internal compliance programs and otherwise indicate a limited risk of liability.
Regardless of what measures a company chooses to take in light of the new rules, all companies should continue to investigate promptly any allegations of misconduct. The budget constraints faced by the SEC for the next fiscal year may hold back the wave of new investigations but the business community cannot rest easy.