On November 3, 2010, the U.S. Securities and Exchange Commission ("SEC") proposed a rule to implement the new whistleblower program mandated by Section 922 of the Dodd-Frank Act. The proposed rule establishes standards and procedures pursuant to which the SEC would reward whistleblowers who provide high quality tips to the agency that lead to successful SEC enforcement actions. The SEC’s press release is available here: http://sec.gov/news/press/2010/2010-213.htm. The full 181-page proposal is available at http://www.sec.gov/rules/proposed/2010/34-63237.pdf.[1]
The proposed rule raises a number of significant policy and practical questions that will impact companies and their compliance (and related) programs. The most significant issue is whether the proposed rule strikes an appropriate balance in furthering the SEC’s goal to promote whistleblower complaints without undermining the effectiveness of a company’s legal, audit, and compliance programs. Even though the proposing release acknowledges this issue, it is likely that comments on the proposed rule will raise questions about whether it gives sufficient deference to these corporate programs.
A. Key Sections of the New Whistleblower Rule
1. Definitions
Whistleblower. The proposed rule defines a whistleblower as "an individual who, alone or jointly with others, provides information to the Commission relating to a potential violation of the securities laws." The whistleblower must be a natural person and may remain anonymous when reporting potential violations to the SEC. To be eligible for an award, a whistleblower must submit original information to the SEC in accordance with all the procedures and conditions set forth in the proposed rule.
Voluntary submission of information. All information must be voluntarily provided to the SEC. In general, information is voluntarily provided if there is no legal requirement that the recipient of the request provide the information or even respond to the request. A whistleblower is deemed to have provided information voluntarily to the SEC if the whistleblower has initially and voluntarily provided information to a local, state, or federal authority; the Congress; a self-regulatory organization; or the Public Company Accounting Oversight Board.
Original information. All information provided must be original. Original information must be based on the whistleblower’s independent knowledge or independent analysis, and not already known to the Commission and not derived exclusively from certain public sources. Original information includes only that information that is provided to the SEC for the first time after July 21, 2010. If the whistleblower provides the same information to another authority, such as an internal compliance program, the whistleblower will have a 90-day grace period during which he or she can alert the SEC and still be considered to have provided original information as of the date the information was provided to the compliance program. Ordinarily, information provided after an investigation has begun is not eligible for an award unless it has not been requested by the investigating agency and is either important to the success of the later enforcement action or informs the government of a new, potential violation of which it was previously unaware.
2. Payment of Award
The SEC will pay an award to one or more whistleblowers who voluntarily provide the SEC with original information that leads to the successful enforcement by the Commission of a federal court or administrative action in which the Commission obtains monetary sanctions–civil money penalties, disgorgement, and prejudgment interest–totaling more than $1 million. The SEC may also pay an award to a whistleblower based on monetary sanctions that are collected from a "related action," which may be an enforcement action commenced by the U.S. Department of Justice or other government agency. The SEC will not pay an award in a related action if an award has already been granted to the whistleblower by the U.S. Commodity Futures Trading Commission for the same action.
3. Exclusions from Eligibility to Receive an Award
The proposed rule limits which individuals can be considered whistleblowers eligible for an award payment. Specifically, it exempts several categories of individuals who are not eligible for awards.
Certain employees. Employees with a legal or contractual duty to report to governmental authorities, any self-regulatory organization, or the Public Company Accounting Oversight Board, or to investigate information, are not eligible to receive an award. This applies when a person with legal, compliance, audit, supervisory, or governance responsibilities for an entity receives information about a potential violation. In a related exception, information obtained through an entity’s legal, compliance, audit, or similar function is not eligible. But none of these exclusions is applicable if the individual reported the information to the entity but the entity does not disclose the information to the SEC within a "reasonable time" or proceeds in "bad faith." The rule also includes an expectation that employees who learn of potential violations as part of their corporate responsibilities will take steps to address the violations.
Attorneys. Attorneys are not permitted to use information obtained from client engagements or attorney-client privileged information to make whistleblower claims for themselves (unless disclosure of the information is permitted under SEC rules or state bar rules).
Accountants. Independent public accountants and others who obtain information through an engagement required under the securities laws are not eligible for an award if that information relates to a violation by the engagement client or the client’s directors, officers, or other employees.
Other exclusions. Information that was obtained in a manner that violates federal or state criminal law is also excluded. The proposal further excludes foreign government officials, and, in order to prevent evasion of rules, anyone who obtained their information from persons subject to the other exclusions.
Statutory exclusions. Certain other individuals–such as employees of certain agencies and people who are criminally convicted in connection with the conduct–are excluded by the Dodd-Frank Act.
4. Information Must Lead to Successful Enforcement
Whistleblowers will be eligible for awards if they provided the SEC with original information that caused the SEC to commence an examination, open an investigation, reopen an investigation that the Commission had closed, or inquire concerning new or different conduct as part of a current examination or investigation, and the information significantly contributed to the success of the action. Alternatively, if the information is regarding conduct that is already under examination or investigation, the information must either lead to the discovery of new violations not otherwise known, or not be otherwise obtainable and essential to the success of the action.
5. Amount of Award
If all the conditions of the proposed rule are met, the SEC will decide the amount of the award based on the following criteria. First, the statute provides that the amount must be at least 10 percent and no more than 30 percent of the monetary sanctions that the Commission is able to collect. Second, the proposed rule states that, in determining the amount of an award, the SEC must consider:
- the significance of the information provided by a whistleblower to the success of the Commission action or related action;
- the degree of assistance provided by the whistleblower and any legal representatives of the whistleblower in the Commission action or related action;
- the programmatic interest of the Commission in deterring violations of the securities laws by making awards to whistleblowers who provide information that leads to the successful enforcement of such laws; and
- whether the award otherwise enhances the Commission’s ability to enforce the federal securities laws, protect investors, and encourage the submission of high quality information from whistleblowers.
As part of the analysis, the proposed rule provides that the SEC may take into consideration the following:
- the degree to which the whistleblower took steps to prevent the violations from occurring or continuing;
- the efforts undertaken by the whistleblower to remediate the harm caused by the violations;
- the culpability of the whistleblower; and
- whether a whistleblower reported the potential violation through effective internal whistleblower, legal, or compliance procedures before reporting the violation to the SEC.
6. Confidentiality
Under the proposed rule, the SEC will not disclose information that could reasonably be expected to reveal the identity of the whistleblower, except under certain circumstances, such as when disclosure is required to a defendant in connection with a federal court or administrative action, or when the SEC determines that it is necessary to disclose to the Department of Justice or other regulatory agency in order to advance the purposes of the Exchange Act or to protect investors. The proposed rule also requires that anonymous whistleblowers be represented by an attorney who must certify that he or she has verified the whistleblower’s identity.
7. Amnesty and Culpable Individuals
The proposed rule does not grant amnesty to individuals who provide information to the SEC. In addition, in determining whether the required $1 million threshold has been satisfied for purposes of making the award, the SEC will exclude any monetary sanctions that the whistleblower is ordered to pay, or that are ordered against any entity whose liability is based on conduct that the whistleblower directed, planned, or initiated. In implementing this provision, the SEC states that it is seeking to prevent wrongdoers from financially benefitting from essentially blowing the whistle on their own misconduct. On the other hand, the proposed rule expressly contemplates that a whistleblower may be a participant in a securities fraud scheme or otherwise engage in other culpable conduct and could still receive an award.
8. Staff Communications with Whistleblowers
The proposal authorizes the SEC staff to communicate directly with whistleblowers who are directors, officers, members, agents, or employees of an entity that has counsel, without first seeking the consent of the entity’s counsel. The rule attempts to create an exemption under state bar ethics rules governing the professional responsibility of lawyers to permit the staff to communicate with a whistleblower under these circumstances.
B. Analysis
The SEC’s lengthy whistleblower proposal warrants careful scrutiny from the business and professional community, and the agency has invited comments on all facets of the proposed rule. The proposed rule raises a number of important issues, including issues regarding confidentiality, privilege, and possible divided loyalties within the compliance function. A fundamental issue is whether the proposed rule appropriately balances the policy goals of encouraging whistleblowers to report securities wrongdoing to the SEC while ensuring the effectiveness of company compliance programs. In its adopting release, the Commission expressed serious concern about creating a rule that had the unintended consequence of undermining internal legal, audit, and compliance programs. The Commission intends that the proposed rule not discourage whistleblowers who work for companies with robust compliance programs to first report violations internally. As discussed below, there are legitimate concerns that the rule, as presently drafted, may in fact do just that, as well as raise other issues.
Significantly, the proposed rule does not require an individual to report a potential violation internally to the company as a prerequisite to being an eligible whistleblower (although the SEC invites comment on this issue). Rather, the proposed rule attempts to accommodate companies’ interest in effective compliance programs by providing (among other things) that:
- if a whistleblower provides the information to the company’s internal compliance program, the whistleblower will have a 90-day grace period during which he or she can alert the SEC and still be considered to have provided original information as of the date of the report to the internal compliance program;
- when determining the amount of an award, the SEC may consider whether a whistleblower reported the potential violation through effective internal whistleblower, legal, or compliance procedures before reporting the violation to the SEC; and
- employees with a legal or contractual duty to report or investigate information, such as compliance personnel, generally are not eligible to receive an award.
These provisions may not be enough, however, to discourage an individual from bypassing his or her company’s internal compliance and reporting program.
First, the 90-day window, which permits a whistleblower to first report to the company and then report to the SEC and have the SEC report relate back to the date of the report to the company, arguably is not, by itself, a reason to report through the company’s compliance program. The threshold question is why an employee would want to take advantage of the 90-day window in the first instance, unless it is clear that such a step would help maximize his or her ultimate recovery.
Second, in determining the amount of the award, the SEC must consider a number of factors but is not required to consider whether the employee first reported the alleged violation in accordance with the company’s internal procedures. Whether or not the employee did so is instead a "permissible consideration[]" that the SEC may take into account and, even then, only when warranted in a particular case. The rule could (but does not) state that internal reporting will be considered a significant positive factor in determining the amount of the payout to the whistleblower, and that failure promptly to invoke internal company reporting procedures will be treated as a negative factor. By its terms, the proposed rule does not appear to set forth any concrete reason why an employee should use the 90-day grace period.
Third, although a person with legal, compliance, audit, supervisory, or governance responsibilities for an entity generally cannot be a whistleblower under the proposed rule, there is a notable exception: those individuals may qualify as whistleblowers if they report the alleged violation to their compliance program but the entity: (1) does not disclose the information to the SEC "within a reasonable time" or (2) proceeds "in bad faith." In this context, some commenters may say that the terms "reasonable time" and "bad faith" are unworkably vague, creating an incentive for individuals whose job it is to detect and investigate fraud to go to the SEC as whistleblowers. The argument might proceed that, given the seductively high bounties available, such individuals, in practice, could render the "reasonable time" and "bad faith" elements toothless. For example, a supervisor may report a potential violation to the internal compliance program and soon thereafter claim that the company failed to report the alleged violation to the SEC in a reasonable time–because in the supervisor’s estimation, for example, the facts and circumstances of the particular case required more immediate disclosure to the Commission. Or an internal auditor for a company who discovers possible securities wrongdoing in the performance of an internal audit may protectively report it to the SEC just in case the company is slower than is deemed reasonable in reporting it to the SEC (if indeed such reporting is warranted). Or, further still, if an individual believes that his or her report to the company’s compliance department may enable a member of that department to obtain the bounty as a whistleblower, the individual may avoid submitting the report rather than take the risk of someone else receiving the award. Given the potential size of the bounty, some whistleblowers may decide to take no chances and avoid the internal program altogether.
In sum, the proposed framework may operate to undermine the effectiveness of internal company compliance programs by creating an incentive–and no meaningful disincentive–for employees to bypass internal company reporting procedures and report alleged violations directly to the SEC. This is unfortunate as oftentimes companies can move more quickly than the government to stop nascent wrongdoing by immediately removing those who are culpable from their positions and overseeing activities that may be suspect. If the rule were adopted as is, the impact on companies’ compliance programs would likely be significant. Among other things, the rule could: (1) deprive the company of the ability to investigate promptly, determine the scope of the problem, and stop or limit the impact of wrongdoing; (2) if there is a systemic problem, deprive the company of the ability to revise its internal controls and procedures to stop violations; (3) impair the company’s ability to take disciplinary action against employees who may have violated the law or internal company policies, as well as discipline those who are aware of wrongdoing and idly sit by; and (4) discourage employees from coming to the company with questions as to possible conduct that might or might not be a violation of law or company policy.
C. Need to Comment on Proposed Rule
In the proposed rule and accompanying release, the SEC embraced the premise that effective internal compliance programs play an important role in protecting investors. Accordingly, the Commission made clear that the rule is "not intend[ed] . . . to undermine effective company processes" and expressed concerns about "unintended consequences" that could arise from the proposed rule. Seeking to avoid such consequences, the Commission specifically invited comments in a number of areas, including some of those concerns raised above. For example, the SEC expressly requested comments on:
- All aspects of the intersection between the proposed rule and established internal systems for the receipt, handling, and response to complaints about potential violations of law. The agency particularly seeks recommendations on structures, processes, and incentives that it should consider implementing in order to strike the right balance between the Commission’s need for a strong and effective whistleblower awards program, and the importance of preserving robust corporate structures for self-policing and self-reporting.
- Whether the proposed rule would frustrate internal compliance structures and systems that many companies have established in response to Section 10A(m) of the Securities Exchange Act, as added by Section 301 of the Sarbanes-Oxley Act of 2002, and related exchange listing standards.
- Whether the 90-day deadline for submitting a potential violation to the Commission (after initially providing information about the potential violation to another authority or the employer’s legal, compliance, or audit personnel) is an appropriate timeframe.
- Whether the agency should consider a rule that would require whistleblowers to utilize employer-sponsored complaint and reporting procedures.
- Whether the Commission should identify additional criteria that it will consider in determining the amount of an award, and whether the agency should include as a criterion the consideration of whether, and the extent to which, a whistleblower reported the potential violation through effective internal whistleblower, legal, or compliance procedures before reporting the violation to the Commission.
- Whether the proposed exclusions for information obtained by a person with legal, compliance, audit, supervisory, or governance responsibilities for an entity, and for information otherwise obtained from or through an entity’s legal, compliance, audit, or similar functions, strike the proper balance; and whether the carve-out for situations where the entity does not disclose the information within a reasonable time promotes effective self-policing functions and compliance with the law without undermining the operation of the proposed rule.
The SEC is seeking public comments on its whistleblower proposal through December 17, 2010, and the agency is required to adopt regulations implementing the whistleblower program no later than April 21, 2011. This is an excellent opportunity to help shape the rulemaking in this important area.
[1] All provisions of the proposal are set forth in the Proposed Rules for Implementing the Whistleblower Provisions of Section 21F of the Securities Exchange Act of 1934, Release No. 34-63237 (proposed Nov. 3, 2010) (to be codified at 17 C.F.R. § 240.21F-1 et seq.).