The Dodd-Frank Act, which was signed by President Obama on July 21, 2010, includes (in Section 922) a whistleblower program sponsored by the Securities and Exchange Commission (SEC). This law (i) makes significant changes in the existing whistleblower provisions of the Sarbanes-Oxley Act of 2002, and (ii) authorizes the SEC to pay between 10 and 30 percent of a recovery over $1 million to anyone who brings forward original information of fraud. Monetary sanctions under $1 million do not qualify under the SEC bounty program.
Because of the changes described in this article, employers should review their whistleblower reporting systems. Procedures that might have worked acceptably under OSHA/DOL enforcement are no longer a good idea under SEC enforcement and the bounty program that the SEC will administer. While most registrants do not experience serious financial reporting complaints, just one such complaint that could have been addressed without an SEC investigation will certainly warrant changes to any laxness in a registrant’s existing program. We offer specifics at the end of this article.
Summary of the SEC’s Program
The SEC’s “fact sheet” for its implementation rules nicely summarizes the requirements for obtaining a whistleblower bounty, as follows:
Voluntarily provide the SEC …
In general, a whistleblower is deemed to have provided information voluntarily if the whistleblower has provided information before the government, a self-regulatory organization or the Public Company Accounting Oversight Board …
… with original information
Original information must be based upon the whistleblower’s independent knowledge or independent analysis, not already known to the Commission and not derived exclusively from certain public sources.
… that leads to the successful enforcement by the SEC in a federal court or administrative action
A whistleblower’s information can be deemed to have led to a successful enforcement action if:
- The information is sufficiently specific, credible and timely to cause the Commission to open a new examination or investigation, reopen a closed investigation, or open a new line of inquiry in an existing examination or investigation.
- The conduct was already under investigation when the information was submitted, and the information significantly contributed to the success of the action.
- The whistleblower reports original information through his or her employer’s internal whistleblower, legal, or compliance procedures before or at the same time it is passed along to the Commission; the employer provides the whistleblower’s information (and any subsequently-discovered information) to the Commission; and the employer’s report satisfies prongs (1) or (2) above.
… in which the SEC obtains monetary sanctions totaling more than $1 million.
The rules permit aggregation of multiple Commission cases that arise out of a common nucleus of operative facts as a single action. These may include proceedings involving the same or similar parties, factual allegations, alleged violations of the federal securities laws, or transactions or occurrences. “
SEC’s Final Rules
On May 25, the SEC approved final rules implementing this new program. Most controversially, the SEC declined to require that whistleblowers first use their employer’s whistleblower reporting system. In explaining its rules, the SEC made it quite clear that the purpose of Dodd Frank was to get reporting to the SEC, and NOT to improve corporate governance processes within registrants. Specifically:
“… a principal purpose of Section 21F is to promote effective enforcement of the federal securities laws by providing incentives for persons with knowledge of misconduct to come forward and share their information with the Commission. Although we acknowledge that internal investigations can be an important component of corporate compliance, and although there are existing incentives for companies to self-report violations, providing information to persons conducting an internal investigation, or simply being contacted by them, may not, without more, achieve the statutory purpose of getting high-quality, original information about securities violations directly into the hands of Commission staff.” (Emphasis added)
Because of this view of the underlying purpose of the law, the SEC’s final regulations do NOT mandate internal reporting of violations before reporting to the SEC’s Whistleblower Office. Instead, the SEC described their amended rules as follows:
“A significant issue discussed in the Proposing Release was the impact of the whistleblower program on companies’ internal compliance processes…. Commenters were sharply divided on the issues raised by this topic. After considering these different viewpoints, we have determined not to include a requirement that whistleblowers report violations internally, but we have made additional changes to the rules to further incentivize whistleblowers to utilize their companies’ internal compliance and reporting systems when appropriate.
o With respect to the criteria for determining the amount of an award, the final rules expressly provide: first, that a whistleblower’s voluntary participation in an entity’s internal compliance and reporting systems is a factor that can increase the amount of an award; and, second, that a whistleblower’s interference with internal compliance and reporting is a factor that can decrease the amount of an award.
o The final rules contain a provision under which a whistleblower can receive an award for reporting original information to an entity’s internal compliance and reporting systems, if the entity reports information to the Commission that leads to a successful Commission action. Under this provision, all the information provided by the entity to the Commission will be attributed to the whistleblower, which means that the whistleblower will get credit — and potentially a greater award — for any additional information generated by the entity in its investigation.
o The final rule extends the time for a whistleblower to report to the Commission after first reporting internally and still be treated as if he or she had reported to the Commission at the earlier reporting date. We proposed a “lookback period” of 90 days after the whistleblower’s internal report, but in response to comments, we are extending this period to 120 days in the final rules.”
Other areas of the proposed rules also were controversial. SEC Chairperson Mary Shapiro summarized these other concerns and related changes in the final rules, as follows:
“Categories of Persons: For example, the proposed rules limited the ability of lawyers, auditors and internal compliance personnel to improperly use their positions to claim a reward. Today’s final rule recognizes that we might have initially sought to exclude too many important, potential whistleblowers. So, the proposal [now finalized rule] narrows some of those exclusions and, more importantly, creates appropriate exceptions to ensure sufficient avenues for vital information ultimately to get to the SEC.
Simpler Procedure: Similarly, we agreed with those who advocated for a simpler, more streamlined procedure for submitting information. As such, the proposed final rule now includes a single form that a whistleblower can submit.
Whistleblower Protections: And, further, the final rules make clear that the statute’s whistleblower protections apply to anyone who provides us information, even if that information relates to a possible securities law violation, and regardless of whether it leads to a successful enforcement action.
Significant Changes to Existing Whistleblower Laws
Existing whistleblower laws under the Sarbanes-Oxley Act of 2002 (SOX) remain generally intact, but are amended. Like most whistleblower protection laws already on the books, new Section 21F of the Securities Exchange Act prohibits employers from retaliating in any way against an employee for providing information to the SEC, or assisting in an investigation or judicial or administrative action relating to the information provided.
The Dodd-Frank Act amends SOX’s whistleblower provisions as follows:
- Importantly, the Department of Labor (DOL) was given responsibility for addressing employee complaints under SOX. Previously, employees were required to exhaust their administrative remedies under OSHA and the DOL. But, the DOL largely gutted enforcement of SOX’s whistleblower provisions, and the vast majority of claimants settled or walked-away from their claims. For examples of the DOL’s tortured enforcement, see DOL Continues to Ignore and Rewrite Sox’s Whistleblower Law. Under Dodd-Frank, whistleblower claimants can now bypass OSHA/DOL entirely and file their claim in U.S. District Court.
- Claimants now have a longer period (180 days vs. the previous 90 days) in which to file an administrative action with OSHA. The time limitation starts on the date on which the violation occurs, or on the date that the employee became aware of the violation. Previously, time started on the date on which the violation occurred, regardless of when the employee became aware of it.
- On civil actions, claimants have longer to bring a lawsuit. Employees now have up to six years after the violation complained of by the whistleblower occurs.
- Relief for prevailing employees includes reinstatement, double back pay plus interest, and attorneys’ fees and litigation costs. The double back pay recovery is new under Dodd-Frank.
- Employees now have a clarified right to jury trial. Previously, at least one court ruled that no such right existed.
- Pre-dispute arbitration agreements in this area are now barred.
- It is now explicit that the whistleblower protections apply to all publicly-traded companies and their subsidiaries. Previously, the DOL and at least one court had taken the position that subsidiaries of publicly-traded companies were not covered by the whistleblower provisions.
Broad Scope of SEC New Enforcement
Before Dodd-Frank, the SEC ran an insider trading bounty program. However, this program actually made only a handful of payments since 1998, and none of the payments have been substantial. In contrast, the new SEC program will include violations of the Securities Exchange Act, the Foreign Corrupt Practices Act (FCPA) and other federal laws. Consequently, the SEC’s whistleblower bounties could be quite substantial.
For example, the FCPA makes it illegal to give anything of value to a foreign government official in order to obtain or retain business, or to secure an improper business advantage. In some countries, nearly every aspect of the approval, manufacture, import, export, pricing, sale, or marketing of a product will involve a “foreign official” as defined by the FCPA. The FCPA recently generated significantly increased enforcement and related enormous fines that could make whistleblowing potentially quite lucrative.
ACFE Study Again Shows the Value of Whistleblower Reporting Systems
The Association of Certified Fraud Examiners (ACFE) publishes a study of frauds reported by its members every other year. The results have generally been consistent, although the scope of each study has become more comprehensive. The 2010 study (the fifth such study, and the most recent as of this writing), like its four predecessors, emphasizes the importance of whistleblower reporting systems, and how they should be implemented.
The 2010 study demonstrates the challenge involved with identifying fraudsters before they entered a victim’s employ. Consistent with prior studies, more than 85% of the fraudsters had never been previously charged or convicted for a fraud-related offense. Not shockingly, when high level executives were involved, significantly greater losses occurred. Frauds committed by executives were more than nine times more costly than frauds committed by rank and file employees. Executive-level frauds also took much longer to detect.
But, regardless of the perpetrator, fraud losses were expensive. The median loss in occupational fraud cases was $160,000. Nearly one-quarter of the frauds involved losses of over $1 million.
The control device that had the greatest impact on the amount of the loss suffered by victim organizations was a whistleblower reporting system. Organizations with such systems faced losses that were approximately 60% less than those without such hotline systems. For this reason, the report unequivocally states that whistleblower hotlines should be implemented.
“Fraud reporting mechanisms are a critical component of an effective fraud prevention and detection system. Organizations should implement hotlines to receive tips from both internal and external sources. Such reporting mechanisms should allow anonymity and confidentiality, and employees should be encouraged to report suspicious activity without fear of reprisal.”
Whistleblower reporting systems assisted in all aspects of fraud loss reduction. When whistleblower systems were in place, frauds were detected faster and losses were less. According to the report:
“Hotlines are an effective way to encourage tips from employees who might otherwise not report misconduct. Perhaps most important … organizations that had fraud hotlines suffered much smaller fraud losses than organizations without hotlines. Those organizations also tended to detect frauds seven months earlier than their counterparts. … We compared the median loss experienced by those organizations that had a particular anti-fraud control against the median loss for those organizations without that control at the time of the fraud. Hotlines were the control with the greatest associated reduction in median loss, reinforcing their value as an effective anti-fraud measure.”
No other control device had similar effectiveness. The report indicates that both internal and outside audits are relied on heavily to prevent and catch fraud, yet they are ineffective. Similarly, other internal controls are also not as effective as business managers would like:
“Internal controls alone are insufficient to fully prevent occupational fraud. Though it is important for organizations to have strategic and effective anti-fraud controls in place, internal controls will not prevent all fraud from occurring, nor will they detect most fraud once it begins.
…tips are the number one means by which fraud is detected. However, less than half of the victim organizations in our study had a hotline in place at the time the fraud occurred. There is evidence that the presence of a hotline improves organizations’ ability to detect fraud and limit fraud losses, which should cause more organizations to implement fraud hotlines.”
Small businesses face proportionately larger fraud losses. Because many such companies are not required to have whistleblower hotlines, whistleblower reporting systems are infrequently used by small, private companies. The report strongly encourages changes in this approach. For example:
“Small businesses are particularly vulnerable to fraud. In general, these organizations have far fewer controls in place to protect their resources from fraud and abuse. Managers and owners of small businesses should focus their control investments on the most cost-effective mechanisms, such as hotlines … Perhaps most concerning is that only 15% of small businesses had a hotline in place, compared to 64% of larger organizations. … Arguably, enacting hotlines would go a long way in helping small-business owners protect their assets from dishonest employees.”
Practical Implementation Impacts
Although the possibility of a reward will motivate some to report to the SEC regardless of the employer’s response, some employees are more interested in anonymously getting changes made. For these tipsters, it is increasing important for companies to quickly handle the complaints properly. To do this, companies should reevaluate the methods they are now using to collect complaints. Specifically:
- Obviously, companies would prefer to address these matters themselves, rather than being forced to deal with the additional inquiries and timetable of a government regulator such as the SEC. Companies should have an outside-sourced whistleblower system and encourage its use. Such systems make it easier for employees to address their concerns so that (i) the company has an opportunity to take preemptive action, and (ii) employees are not sufficiently frustrated that they seek resolution with government regulators. Many companies use internal collection means to comply with Sarbanes-Oxley Section 301(4). While internal solutions continue to be legally permissible under the new whistleblower laws, internal solutions are a mistake. Complainants are usually relieved to know that their anonymous complaints are being recorded and reported by someone independent of their employer. Companies currently using internal-only collection devices should involve an outside vendor, particularly in light of the extremely modest cost of such programs. For example, the vast majority of Fulcrum’s whistleblower clients pay only Fulcrum’s minimum annual cost (currently $800 annually).
- The majority of independently-provided whistleblower solutions are either (i) website-only forms that provide little (if any) feedback to the complainant, or (ii) “hotline” phone answering companies that use untrained personnel reading scripts. Neither forms nor scripts are sufficiently flexible to appropriately address complex financial issues. These approaches are a mistake because they unnecessarily encourage complainants to believe their concerns are being treated with insufficient care and seriousness.
- Because the consequences of any securities law violation are less severe for self-reported violations, the SEC’s bounty program should push employers to provide more and quicker voluntary disclosures. Otherwise, whistleblowers might get the SEC involved before the company makes its own disclosure.
For more guidance on what should be part of a company’s hotline and whistleblower process, see Best Practices in Whistleblower Systems.