The Securities and Exchange Commission (SEC) has voted three to two to approve new Regulation 21F implementing the whistleblower bounty programme and anti-retaliation provisions mandated by Section 922(a) of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.(1) Regulation 21F will take effect 60 days after publication in the Federal Register. The most controversial aspect of the proposed regulation was the absence of a requirement that corporate whistleblowers report internally before going to the SEC. While the final regulation does not require this, it enhances the incentives for whistleblowers to do so.
The SEC's new whistleblower complaint programme will be administered by the newly created Office of the Whistleblower residing within the Division of Enforcement. Under this programme, an eligible individual (but not a corporation or other entity) may receive a cash award from a special SEC fund ranging from 10% to 30% of the total amount of monetary fines, in excess of $1 million, recovered by the SEC in a civil judicial or administrative action. An eligible whistleblower also may receive a cash award based on monetary sanctions collected by other regulatory or law-enforcement authorities in a "related action", including fines and penalties imposed in a federal criminal prosecution brought by the Department of Justice.(2) To recover, a whistleblower must "voluntarily" provide, in accordance with specific rules, "original information" about a violation of the federal securities laws that has occurred, is ongoing or is about to occur and that ultimately "leads to successful enforcement action".(3) While until now the SEC could offer financial incentives only to tippers in the area of insider trading, the new whistleblower programme provides bounties for information relating to any violation of the federal securities laws, including the Foreign Corrupt Practices Act.
Companies should keep in mind that the whistleblower anti-retaliation provisions – which are enforceable by the SEC as well as by aggrieved whistleblowers – are broader in scope than the recovery provisions. The protections against retaliation apply even if a complaint does not result in an SEC enforcement action or if the whistleblower ultimately fails to receive an award, and the protections apply even if the whistleblower never goes to the SEC, but makes statements protected by the Sarbanes-Oxley Act of 2002.(4)
This update focuses on the new whistleblower rules from the perspective of boards of directors, senior executives and compliance personnel, who face considerable challenges in keeping compliance programmes premised on internal reporting viable in the face of the new bounty system. Boards should encourage executives and compliance personnel to review and strengthen the company's compliance culture and procedures to increase the odds that employees will report to the company first, enabling the company to determine whether a problem exists and take necessary action, which may include in appropriate circumstances self-reporting to the SEC. Efforts should be made to communicate, at every opportunity, the positive message that internal reporting is critical to the company's success, and that it is both expected and valued. In light of the strict prohibition against retaliation contained in Regulation 21F, directors, executives, managers and human resources (HR) and compliance personnel should be refreshed as to what forms of conduct may constitute retaliation for purposes of both Dodd-Frank and Sarbanes-Oxley. Equally important, existing procedures designed to protect employees against retaliation should be reviewed and updated as appropriate.
Internal reporting incentivised, but not required Critics of the SEC's proposed rules argued that the effectiveness of corporate compliance programmes would be seriously impaired by the bounty programme, since it would encourage employees to bypass these internal programmes and report directly to the SEC in order to be first in line to collect a substantial whistleblower award. Although the final rules do not mandate that whistleblowers report internally as a condition to receiving an award, the majority of commissioners who voted to adopt Regulation 21F asserted that the new rules include sufficient incentives for people to report internally without undermining the central purpose of Section 21F: "to encourage the submission of high-quality information to facilitate the effectiveness and efficiency of the Commission's enforcement program."(5)
As discussed in greater detail below, the final rules:
extend to 120 days the period of time during which a whistleblower who first reports information internally can wait before having to submit the same information to the SEC so as to be eligible for a potential award as of the time that the internal report was made;
attribute to a whistleblower who first reports internally all information subsequently reported by the company to the SEC following an internal investigation; and
clarify that when determining the amount of an award, the SEC will take into account whether the whistleblower participated in or, alternatively, hindered a company's internal compliance programme.
The impact of the new rules on corporate compliance programmes is the most controversial aspect of Regulation 21F. It remains to be seen whether the enhanced incentives described below will successfully promote internal reporting – or whether the concerns expressed by the two dissenting commissioners and many of those who commented on the proposed rules will be realised.
120-day lookback The final rules extend – from 90 to 120 days – the lookback period for an award based on information that a whistleblower reported internally before reporting to the SEC's Office of the Whistleblower pursuant to the procedures outlined in Regulation 21F. As a result, a whistleblower who first reports a possible violation through a company's internal compliance programme will have 120 days to make a subsequent report to the SEC and still retain eligibility for an award using the earlier internal reporting date as the date of submission. This preserves the whistleblower's 'place in line' regarding other potential whistleblowers. Even if a second whistleblower has made a submission that causes the SEC to initiate an investigation into the same matter after the first whistleblower's initial internal report, but before his or her subsequent report to the SEC, the whistleblower who had first reported internally will be given priority with respect to any whistleblower award.
Attribution of information The final rules expand the scope of the information that will be attributed to a whistleblower who utilises the company's internal compliance mechanisms. Specifically, Rule 21F-4 provides that all of the information provided by the employer to the SEC may be attributed to the whistleblower, subject to certain conditions set forth in Rule 21F-4(c), if:
a whistleblower makes a report internally before, or at the same time as, he or she reports to the SEC;
the company provides the SEC with the whistleblower's information or with the results of an investigation initiated in response to the whistleblower's information; and
the information provided by the company to the SEC led to a successful enforcement action.
Thus, a whistleblower may recover an award based on self-reporting by a public company even if he or she first reports one possible violation of the federal securities laws to the company in accordance with internal whistleblower complaint procedures and the company, after conducting its own internal investigation, finds additional potential violations and self-reports to the SEC. It may be possible that a whistleblower whose information alone would not have met the requirements for an award could, when his or her information is combined with the employer's additional information, qualify for an award.(6)
Increasing awards The final rules also include a direct financial incentive for not bypassing the company's internal compliance programme. Under the framework for determining awards, a higher award will be appropriate when a whistleblower reports information internally, and a lower award will be appropriate when he or she hinders the effectiveness of the company's internal compliance programme (although 'hindering effectiveness' has not yet been defined). A whistleblower will not be entitled to any award if he or she intentionally furnishes a false report to the SEC.(7)
Who qualifies as a whistleblower? Under Rule 21F-2(a), whistleblower status for purposes of the bounty programme is conferred on any individual who, either alone or "jointly with others", provides the SEC "voluntarily" with "original information" relating to a possible violation of the federal securities laws (including the SEC's rules and regulations thereunder) that "has occurred, is ongoing, or is about to occur". The bar here is relatively low – the information submitted by the whistleblower "should indicate a facially plausible relationship to some [federal] securities law violation – frivolous submissions would not qualify for whistleblower status".(8) In addition, the whistleblower must follow the procedures outlined in the new rules for submission of a report to the SEC. If a potential whistleblower wishes to submit an anonymous report to the SEC, he or she must hire an attorney to report on his or her behalf – and there appears to be a proliferation of law firms advertising their services in this regard.
Although employees, agents and even individuals who do not work for a company are eligible to be whistleblowers, institutional shareholders, non-governmental organisations and other entities are not. In addition, as discussed below, information provided by certain individuals is automatically disqualified for policy reasons (subject to exceptions) – these individuals include internal compliance personnel, inside and outside corporate counsel and a company's outside auditors.
In the interest of encouraging high-quality tips, the SEC decided to allow culpable individuals to be eligible for whistleblower awards despite concerns from commenters. The degree of culpability will be taken into account in setting a potential award. Individuals who include false information in the new SEC form for tip submission will, on the other hand, be subject to prosecution for perjury and ineligible for an award.
When is a whistleblower submission considered voluntary? Under Rule 21F(b)(1), a whistleblower must "voluntarily" submit original information to the SEC in order to recover a bounty. This requires that the whistleblower come forward before he or she (or his or her attorney or other representative) receives a request, inquiry or demand – whether made pursuant to a subpoena or an informal request for production – relating to the subject matter of the whistleblower's submission to the SEC from any of the following:
the SEC itself;
the Public Company Accounting Oversight Board (PCAOB) or any self-regulatory organisation (eg, the Financial Industry Regulatory Authority (FINRA));
Congress or any other authority of the federal government (eg, the Commodity Futures Trading Commission); or
a state attorney general or securities regulator.(9)
A submission will not be considered voluntary if the putative whistleblower is subject to a pre-existing legal or contractual duty to report information on possible federal securities law violations to the SEC or certain other authorities,(10) or to a similar duty arising out of a judicial or administrative order.(11)
In a significant departure from the proposed rules, the SEC decided to treat as 'voluntary' complaints from individual employees who are not otherwise disqualified, even if the company itself previously received a formal or informal demand from the SEC (or one of the other designated authorities) about any matter relevant to the individual's submission.(12) The SEC warned, however, that "individuals who wait to make their submission [to the SEC] until after a request is directed to their employer will not face an easy path to an award".(13)
What is 'original information'? Under Rule 21F-4(b), to qualify for the programme the whistleblower must provide "original information" to the SEC.(14) Original information must be derived from a whistleblower's "independent knowledge" or "independent analysis". 'Independent knowledge' refers to factual information in a whistleblower's possession that is not derived from publicly available sources. Examples include "experiences, communications and observations [made by the whistleblower] in… [his or her] business or social interactions". 'Independent analysis' refers to a whistleblower's own "examination and evaluation of information that may be publicly available, but which reveals information that is not generally known or available to the public". This analysis may be conducted alone or in combination with others.(15)
The final rules exclude from the scope of 'original information' information obtained from a communication that is protected by attorney-client privilege or obtained in connection with the individual's legal representation of a client, unless an attorney would be permitted to disclose the information pursuant to specified ethical obligations set forth in the SEC's 'up-the-ladder' attorney conduct rule,(16) and/or applicable state bar ethical rules (eg, that include the 'crime fraud' exception). These exclusions apply both to internal and external counsel and to non-attorneys working in corporate legal departments and law firms.
For policy reasons, the final rules also exclude from the scope of 'original information' information obtained by:
an officer, director, trustee or partner who either was informed by another person of allegations of misconduct or learned the information in connection with the company's internal compliance programme;
an employee of the company (or of a firm retained by the company) whose principal duties involve compliance or internal audit;
a person associated with a firm retained to conduct an internal investigation into possible violations of law;
a person associated with a public accounting firm, where the information surfaced through an audit or other engagement mandated by the federal securities laws and relates to a violation by the engagement client or the client's directors, officers or other employees; or
a means that violates applicable federal or state criminal law.(17)
However, in what one dissenting commissioner indicated might be exceptions that may swallow the rule, the SEC provided the following carve-outs from these exclusions:
when the person has a reasonable basis to believe that disclosure of the information to the SEC is necessary to prevent the company from engaging in conduct that is likely to cause substantial injury to the financial interest or property of the company or investors;
when the person has a reasonable basis to believe that the company is engaging in conduct that will impede an investigation of the misconduct (eg, destroying documents, improperly influencing witnesses or engaging in other improper conduct); or
when at least 120 days have elapsed since either:
the person provided the information to the audit committee, chief legal officer or chief compliance officer (or their equivalents), or to his or her supervisor; or
the person received the information, if he or she received it under circumstances indicating that the company's audit committee, chief legal officer, chief compliance officer (or their equivalents), or his or her supervisor was already aware of the information.
When will original information be deemed to have led to successful enforcement action? Rule 21F-4(c) outlines factors that the SEC will consider in determining whether an individual's submission of original information will be deemed to have "led to" a successful enforcement action. As under the proposed rules, the final rules apply different standards, depending on whether the information reported concerns conduct that is or is not already under investigation or examination by:
the SEC itself;
any other authority of the federal government;
a state attorney general or securities regulator;
a self-regulatory organisation; or
Where conduct is not under investigation or examination Information regarding conduct not under investigation or examination will be considered to have led to successful enforcement when:
the information is "sufficiently specific, credible and timely" to cause the SEC staff to commence a new investigation, reopen a closed investigation or enquire about different conduct under a current investigation; and
the SEC brings a successful action based in whole or in part on the conduct identified in the original information.
The adopting release notes that the 'sufficiently specific, credible and timely' standard was adopted to help ensure that the SEC receives only "high-quality tips... [meaning those] most likely to lead to a successful enforcement action".(18)
Where conduct is already under investigation or examination Information regarding conduct already under investigation or examination will be considered to have led to successful enforcement when the information "significantly contributed" to the success of the SEC action. The adopting release notes that the SEC will consider, among other things, whether the information allowed the SEC to bring a successful action in significantly less time or with significantly fewer resources, or enabled the SEC to bring additional successful claims or successful claims against additional individuals or entities.
However, the adopting release also notes that this standard is not intended to reward a whistleblower for obstructing an ongoing investigation in an effort to obtain an award.
As Rule 21F-2(b)(iii) makes clear, the anti-retaliation provisions apply no matter whether an aspiring whistleblower satisfies the requirements, procedures and conditions to qualify for an award. He or she need only have a "reasonable belief" that the information provided related to a possible violation of the federal securities laws or any other laws within the scope of the Sarbanes-Oxley anti-retaliation provisions. To qualify as a 'reasonable belief', two criteria must be met:
The employee had a "subjectively genuine belief that the information demonstrates a possible violation"; and
The belief itself is objectively reasonable, meaning that it is one that a "similarly situated employee might reasonably possess".(19)
Employers are prohibited from taking a wide range of adverse actions – discharging, demoting, suspending, threatening, harassing directly or indirectly, or discriminating in any other manner – "because of any lawful act done by the whistleblower" in connection with:
providing information to the SEC;
participating in any investigation or action undertaken by the SEC based on or related to information provided by the whistleblower; or
making disclosures required or protected by Sarbanes-Oxley or any other law, rule or regulation subject to the jurisdiction of the SEC.
The disclosures protected by Sarbanes-Oxley are extremely broad and require no external reporting (ie, to the SEC). For example, Section 806 of Sarbanes-Oxley protects disclosures made to "a person with supervisory authority over the employee (or such other person working for the employer who has the authority to investigate, discover, or terminate misconduct)", assuming that certain requirements are met.
Suits by whistleblowers for retaliation brought under Dodd-Frank may be more significant than those brought under Sarbanes-Oxley for the following reasons:
Suit may be brought directly in federal district court without filing first with the Department of Labour, as required by Sarbanes-Oxley.
Whistleblowers are entitled under Dodd-Frank to double the amount of back pay otherwise owed, while only back pay is available under Sarbanes-Oxley.
The statute of limitations is considerably longer under Dodd-Frank: suit must be brought within six years, or three years from when "facts material to the right of action are known or reasonably should have been known", but in no event more than 10 years after the date of the violation. In contrast, whistleblowers pursuing claims under Sarbanes-Oxley must file a claim with the secretary of labour within 180 days of the violation or the date on which the employee becomes aware of the violation.
In addition to suits brought directly by whistleblowers for retaliation, the SEC can pursue alleged violations of the Dodd-Frank anti-retaliation provisions.
Under the new rules, companies will need to be prepared for a variety of possible enforcement scenarios, including the following:
The whistleblower complains to the company but does not immediately go to the SEC;
The whistleblower complains to the company and the SEC simultaneously; or
The whistleblower complains to the SEC without notifying the company.
Of course, if the whistleblower does not notify the company, the company cannot investigate the issue unless and until the SEC brings the matter to its attention. Historically, when it has received tips and complaints about potential wrongdoing, the SEC staff has generally given companies the opportunity to "investigate and report back" and has evaluated their actions under the Seaboard factors.(20) The adopting release suggests that the SEC expects this approach to continue in the future.(21)
However, questions will undoubtedly arise in practice. For example, given the whistleblower's statutorily protected role, how much deference will the SEC give to a whistleblower's demand that the SEC not bring the matter to the company's attention in order to protect the whistleblower's identity? Moreover, the SEC staff will have wide latitude in administering the programme. The adopting release notes a number of factors that the SEC "may consider" in determining whether to follow its general approach in a particular case. These include "information [it has] concerning the nature of the alleged conduct, the level at which the conduct allegedly occurred, and the company's existing culture related to corporate governance", as well as "information [it has] about the company's internal compliance programs, including what role, if any, internal compliance had in bringing the information to management's or the Commission's attention".(22)
Even if the whistleblower brings his or her complaint to the company first, given the 120-day lookback period, the company faces an uncertain process. Since the company must assume that the whistleblower will bring his or her complaint to the SEC by the 120th day, the company must act expeditiously with respect to the complaint and attempt within that period to determine whether it is meritorious.(23) If the complaint appears to have merit, it will make strategic sense in most cases to alert the SEC before the 120-day clock expires. Indeed, there would seem to be few cases in which there is strategic advantage to waiting for the SEC to approach the company upon receipt of a complaint that the company has determined is meritorious or, at a minimum, raises legitimate issues requiring further inquiry.
However, there are many nuances to this issue, including when to make the initial report and whether to make it when the initial inquiry shows the allegation to be unmeritorious. There will surely be many situations in which a company has, on day 120, been unable to make any definitive conclusions about the allegations, yet believes that the issues are serious and credible. In these circumstances there is a strong argument that the company should make some disclosure to the SEC, with the caveat that the investigation is ongoing. Similarly, there may be circumstances in which it is clear or arguable that even earlier disclosure to the SEC is warranted and strategically prudent. This analysis should turn on:
the gravity and materiality of the initial allegation (including whether senior management and/or board members are the subject of the allegation);
the degree to which the initial findings of the inquiry are problematic; and
whether the company is uncertain as to when and whether the whistleblower may make its report to the SEC (and/or the Department of Justice, which may notify the SEC).
The overarching goal must be to avoid, to the extent possible, playing catch-up on the issue. The SEC is much more likely to be persuaded as to the merits of the company's position on an issue if it believes that the company or, where appropriate, the audit committee or board has proactively and thoroughly examined it.
This is not to say that all whistleblower complaints will or should result in the company self-reporting the issue to the SEC. There will certainly be situations in which self-reporting is not warranted, even though it may be only a matter of time before the SEC learns of the complaint. Thus, where a complaint lends itself to a contained investigation that reveals the complaint to be entirely unmeritorious, self-reporting to the SEC should not be automatic.(24) In such cases it is hard to imagine that the SEC staff would be disappointed if the company failed to bring it a full-blown report of the complaint and investigation (provided, of course, that the company otherwise addressed the complaint in an appropriate manner).
Rather, the company should fully document the nature and scope of the investigation and the involvement, where appropriate, of the audit committee or board, and be prepared, if and when the SEC comes calling, to walk the staff through the issues or, as appropriate, to provide the staff with a written summary of the issue and investigation. In pursuing this course, however, the company should consider the potential for the SEC staff to disagree with the company's view of the nature and gravity of the complaint and the manner of its disposition.
Given their statutory mandate, the staff may read the complaint more broadly than the company may have. Moreover, the staff may have been given documents and information by the whistleblower directly, of which the company may not have or may not be aware. This is most likely to occur where the whistleblower remains anonymous.
These issues are even more complicated for registered broker-dealers and other financial institutions subject to regulation by FINRA. New FINRA Rule 4530, which came into effect on July 1 2011, requires member firms to report within 30 days any conclusions by the firm that it or an associated person within the firm violated securities laws where the conduct had:
"widespread or potential widespread impact to the member, its customers or the markets, or conduct that arises from a material failure of the member's systems, policies or practices involving numerous customers, multiple errors or significant dollar amounts."
Firms may conclude that they are required to report the conclusions of an internal investigation instigated by a whistleblower provision to FINRA under Rule 4530, even though a report to the SEC would have been discretionary.
In sum, new Regulation 21F is likely to change the landscape in the enforcement area – with the unknown variable being, in these early days, how much flexibility the SEC and its staff will display in administering these rules. The rules create an environment where any employee (or other individual who does business with the company) who believes that he or she has knowledge about a possible federal securities law violation is highly motivated to report the information to the agency. Therefore, the best line of defence is for a company to have in place robust internal compliance and audit procedures designed proactively to uncover potential wrongdoing and, where misconduct is found, to address it promptly and remediate it aggressively before any whistleblower surfaces. Where the company learns of credible allegations of misconduct from a whistleblower, it should immediately investigate and, where the claims are credible, consider whether and when to report to the SEC.