The Dodd-Frank Act, which was signed by President Obama on July 21, 2010, includes (in Section 922) a whistleblower program sponsored by the Securities and Exchange Commission (SEC). This law (i) makes significant changes in the existing whistleblower provisions of the Sarbanes-Oxley Act of 2002, and (ii) authorizes the SEC to pay between 10 and 30 percent of a recovery over $1 million to anyone who brings forward original information of fraud. Monetary sanctions under $1 million do not qualify under the SEC bounty program.
Because of the changes described in this article, employers should review their whistleblower reporting systems adopted under the Sarbanes-Oxley Act of 2002 (SOX). Procedures that might have worked acceptably under OSHA/DOL enforcement are no longer a good idea under SEC enforcement and the bounty program that the SEC will administer. While most registrants do not experience serious financial reporting complaints, just one such complaint that could have been addressed without an SEC investigation will certainly warrant changes to any laxness in a registrant’s existing program. We offer specifics at the end of this article.
SEC is Proceeding with their Whistleblower Program
Under the Dodd-Frank Act, the SEC’s rules must be finalized by April 2011. The SEC is diligently proceeding to get this program implemented. Specifically:
- In October 2010, the SEC recently announced initial funding of its whistleblower reward program with $450 million, and
- On November 3, 2010, the SEC unanimously approved its draft of proposed rules for public comment.
The SEC’s “fact sheet” for its implementation rules nicely summarizes the requirements for obtaining a whistleblower bounty, as follows:
“To be considered for an award, a whistleblower must …Voluntarily provide the SEC …
In general, a whistleblower is deemed to have provided information voluntarily if the whistleblower has provided information before the government, a self-regulatory organization or the Public Company Accounting Oversight Board asks for it.
… with original information …
Original information must be based upon the whistleblower’s independent knowledge or independent analysis, not already known to the Commission and not derived exclusively from certain public sources.
… that leads to the successful enforcement by the SEC of a federal court or administrative action …
A whistleblower’s information can be deemed to have led to successful enforcement in two circumstances: (1) if the information results in a new examination or investigation being opened and significantly contributes to the success of a resulting enforcement action, or (2) if the conduct was already under investigation when the information was submitted, but the information is essential to the success of the action and would not have otherwise been obtained. …”
Significant Changes to Existing Whistleblower Laws
Existing whistleblower laws under the Sarbanes-Oxley Act of 2002 (SOX) remain generally intact, but are amended. Like most whistleblower protection laws already on the books, new Section 21F of the Securities Exchange Act prohibits employers from retaliating in any way against an employee for providing information to the SEC, or assisting in an investigation or judicial or administrative action relating to the information provided.
The Dodd-Frank Act amends SOX’s whistleblower provisions as follows:
- Importantly, the Department of Labor (DOL) was given responsibility for addressing employee complaints under SOX. Previously, employees were required to exhaust their administrative remedies under OSHA and the DOL. But, the DOL largely gutted enforcement of SOX’s whistleblower provisions, and the vast majority of claimants settled or walked-away from their claims. For examples of the DOL’s tortured enforcement, see DOL Continues to Ignore and Rewrite Sox’s Whistleblower Law. Under Dodd-Frank, whistleblower claimants can now bypass OSHA/DOL entirely and file their claim in U.S. District Court.
- Claimants now have a longer period (180 days vs. the previous 90 days) in which to file an administrative action with OSHA. The time limitation starts on the date on which the violation occurs, or on the date that the employee became aware of the violation. Previously, time started on the date on which the violation occurred, regardless of when the employee became aware of it.
- On civil actions, claimants have longer to bring a lawsuit. Employees now have (i) up to six years after the violation complained of by the whistleblower occurs or (ii) more than three years after the employee knew or reasonably should have known about the facts material to his claim. Notwithstanding the above periods, any such action may not be brought more than ten years after the date on which the violation occurred.
- Relief for prevailing employees includes reinstatement, double back pay plus interest, and attorneys’ fees and litigation costs. The double back pay recovery is new under Dodd-Frank.
- Employees now have a clarified right to jury trial. Previously, at least one court ruled that no such right existed.
- Pre-dispute arbitration agreements in this area are now barred.
- It is now explicit that the whistleblower protections apply to all publicly-traded companies and their subsidiaries. Previously, the DOL and at least one court had taken the position that subsidiaries of publicly-traded companies were not covered by the whistleblower provisions.
Broad Scope of SEC New Enforcement
Before Dodd-Frank, the SEC ran an insider trading bounty program. However, this program actually addressed only a handful of payments since 1998, and none of the payments have been substantial. In contrast, the new SEC program will include the Securities Exchange Act, the Foreign Corrupt Practices Act (FCPA) and other federal violations. Consequently, the SEC’s whistleblower bounties could be quite substantial.
For example, the FCPA makes it illegal to give anything of value to a foreign government official in order to obtain or retain business, or to secure an improper business advantage. In some countries, nearly every aspect of the approval, manufacture, import, export, pricing, sale, or marketing of a product will involve a “foreign official” as defined by the FCPA. Since 2005, the Department of Justice brought over 60 FCPA cases. At the end of 2009, the DOJ and SEC were pursuing over a hundred FCPA investigations. The FCPA recently generated enormous fines that could make whistleblowing potentially quite lucrative. For example:
- The combined monetary sanction assessed against Siemens in 2008 totaled $1.6 billion, including an approximate $450 million fine by the DOJ, $350 million disgorgement to the SEC, and $850 million in penalties assessed by the German government.
- The combined monetary sanction assessed against Kellogg Brown & Root and former parent company Halliburton in 2009 totaled approximately $580 million, including a $400 million fine and $180 million in disgorgement.
- The combined monetary sanction assessed against BAE Systems in 2010 totaled approximately $450 million to the U.S. and British authorities.
ACFE Study Again Shows the Value of Whistleblower Reporting Systems
The Association of Certified Fraud Examiners (ACFE) publishes a study of frauds reported by its members every other year. The results have generally been consistent, although the scope of each study has become more comprehensive. The 2010 study (the fifth such study) was recently published. The most recent study, like its four predecessors, emphasizes the importance of whistleblower reporting systems, and how they should be implemented.
The 2010 study emphasizes the challenge involved with identifying fraudsters before they entered a victim’s employ. Consistent with prior studies, more than 85% of the fraudsters had never been previously charged or convicted for a fraud-related offense. Not shockingly, when high level executives were involved, significantly greater losses occurred. Frauds committed by executives were more than nine times more costly than frauds committed by rank & file employees. Executive-level frauds also took much longer to detect.
But, regardless of the perpetrator, fraud losses were expensive. The median loss in occupational fraud cases was $160,000. Nearly one-quarter of the frauds involved losses of over $1 million.
The control device that had the greatest impact on the amount of the loss suffered by victim organizations was a whistleblower reporting system. Organizations with such systems faced losses that were approximately 60% less than those without such hotline systems. For this reason, the report unequivocally states that whistleblower hotlines should be implemented.
“Fraud reporting mechanisms are a critical component of an effective fraud prevention and detection system. Organizations should implement hotlines to receive tips from both internal and external sources. Such reporting mechanisms should allow anonymity and confidentiality, and employees should be encouraged to report suspicious activity without fear of reprisal.”
Whistleblower reporting systems assisted in all aspects of fraud loss reduction. When whistleblower systems were in place, frauds were detected faster, and losses were less. According to the report:
“Hotlines are an effective way to encourage tips from employees who might otherwise not report misconduct. Perhaps most important … organizations that had fraud hotlines suffered much smaller fraud losses than organizations without hotlines. Those organizations also tended to detect frauds seven months earlier than their counterparts. …
We compared the median loss experienced by those organizations that had a particular anti-fraud control against the median loss for those organizations without that control at the time of the fraud. Hotlines were the control with the greatest associated reduction in median loss, reinforcing their value as an effective anti-fraud measure.”
No other control device had similar effectiveness. The report indicates that both internal and outside audits are relied on heavily to prevent and catch fraud, yet they are ineffective. Similarly, other internal controls are also not as effective as business managers would like.
“Internal controls alone are insufficient to fully prevent occupational fraud. Though it is important for organizations to have strategic and effective anti-fraud controls in place, internal controls will not prevent all fraud from occurring, nor will they detect most fraud once it begins.
…tips are the number one means by which fraud is detected. However, less than half of the victim organizations in our study had a hotline in place at the time the fraud occurred. There is evidence that the presence of a hotline improves organizations’ ability to detect fraud and limit fraud losses, which should cause more organizations to implement fraud hotlines.”
Small businesses face proportionately larger fraud losses. Because many such companies are not required to have whistleblower hotlines, whistleblower reporting systems are infrequently used by small, private companies. The report strongly encourages changes in this approach. For example:
“Small businesses are particularly vulnerable to fraud. In general, these organizations have far fewer controls in place to protect their resources from fraud and abuse. Managers and owners of small businesses should focus their control investments on the most cost-effective mechanisms, such as hotlines … Perhaps most concerning is that only 15% of small businesses had a hotline in place, compared to 64% of larger organizations. … Arguably, enacting hotlines would go a long way in helping small-business owners protect their assets from dishonest employees.”
Practical Implementation Impacts
Although the possibility of a reward will motivate some to report to the SEC regardless of the employer’s response, some employees are more interested in anonymously getting changes made. For these tipsters, it is increasing important for companies to quickly handle the complaints properly.
To do this, companies should reevaluate the methods they are now using to collect complaints. Specifically:
- Obviously, companies would prefer to address these matters themselves, rather than having the additional inquiries and timetable of a government regulator such as the SEC. Companies should have an outside-sourced whistleblower system, and encourage its use. Such systems make it easier for employees to address their concerns so that (i) the company has an opportunity to take preemptive action, and (ii) employees are not sufficiently frustrated so that they seek resolution with government regulators. Many companies use internal collection means to comply with Sarbanes-Oxley Section 301(4). While internal solutions continue to be legally permissible under the new whistleblower laws, internal solutions are a mistake. Complainants are usually relieved to know that their anonymous complaints are being recorded and reported by someone independent of their employer. Companies currently using internal-only collection devices should involve an outside vendor, particularly in light of the extremely modest cost of such programs. For example, the vast majority of Fulcrum’s whistleblower clients pay only Fulcrum’s minimum annual cost (currently $800 annually).
- The majority of independently-provided whistleblower solutions are either (i) website only forms that provide little (if any) feedback to the complainant, or (ii) “hotline” phone answering companies that use untrained personnel reading scripts. Neither forms nor scripts are sufficiently flexible to appropriately address complex financial issues. These approaches are a mistake because they unnecessarily encourage complainants to believe their concerns are being treated with insufficient care and seriousness.
- Because the consequences of any securities law violation are less severe for self-reported violations, the SEC’s bounty program should push employers to provide more and quicker voluntary disclosures. Otherwise, whistleblowers might get the SEC involved before the company makes its own disclosure.
For more guidance on what should be part of a company’s hotline and whistleblower process, see Best Practices in Whistleblower Systems.