Hype and Reality in the Dodd-Frank Whistleblower Rules

A lot of commentators, including many law firms, have recently issued dire warnings concerning the final whistleblower rules adopted by the SEC on May 25 pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act. Some of the more extreme observations have expressed fears that companies’ internal compliance programs will be undermined and have recommended top-to-bottom revamping of internal compliance systems. Believing that at least some of this commentary may be overblown, we thought it might be appropriate to take a deep breath and examine what is real and what is hype.

First, it is important to remember what has not changed: the new rules still permit and indeed encourage both privately held and publicly traded companies to continue doing what most have been doing for years: (1) actively encouraging all employees to report potential compliance violations to the company, either by directly reporting any concerns to supervisors, legal, compliance or audit personnel, or by using confidential hotline, website or ombudsmen mechanisms; (2) assuring all employees who step forward that they will not be terminated or otherwise discriminated or retaliated against for raising good faith compliance concerns; (3) examining, in a responsible and appropriate way, all reported potential compliance issues; and (4) taking reasonable corrective measures, including changing business practices and systems, imposing discipline, and when appropriate, reporting the issue to regulators. While it would have been better, as we and others previously stated (see our prior memo here), for the SEC to have fully respected those programs by requiring whistleblowers to first make an internal report, this does not mean that corporate compliance regimes have become obsolete. In fact, they have become even more important.

Second, it also is important to recognize that what is new is relatively limited: Dodd Frank’s heightened financial incentives for whistleblowers (who can now hope to receive 10% to 30% of any monetary sanction over $1 million that results from their report of “original information” to the SEC) can reasonably be expected to increase the number of whistleblower reports and to impose greater burdens on companies facing inquiries resulting from such reports. But, as SEC Enforcement Director Robert Khuzami reported at a SIFMA-sponsored luncheon in New York last week, the staff has not seen a big spike in whistleblower reports. He did note that, at least in some cases, the overall quality and extent of documentation supporting the tips the SEC is now receiving has improved, which he attributed to whistleblower lawyers doing more careful vetting of the reports and shaping what is said so that it will more readily appear to be of interest to the SEC.

Third, for companies considering how best to respond to these new rules, we do not see a need for most companies to substantially revamp their policies, if they already have in place the elements described above. We do, however, strongly recommend taking affirmative steps to reinforce and repeat the key message that all employees are encouraged to report any compliance concerns directly to the company. If you plan to repeat those messages, keep in mind the following:

• (1) Tone at the Top: the voice that carries farthest within any company comes from the top – so, consider having your CEO speak periodically about the importance of maintaining an effective compliance culture and the need for employees to recognize that they are the company’s first line of defense and should therefore report promptly any compliance concerns they spot; this message can be conveyed by the CEO at periodic “town halls” with employees, through letters or intranet messages;
• (2) Effective Training: the fact that periodic training has been conducted should be well documented, including by securing annual certifications from employees that they have received such training and have reported any compliance concerns of which they are aware;
• (3) Compliance as an element of job performance: including a compliance evaluation component, as well as elements that encourage compliance reporting can be useful tools in annual job performance evaluations, and any new information that is reported should be documented and examined;
• (4) Hotlines: periodic refreshers should be sent out reminding employees of the easy availability of hotlines and other reporting mechanisms, as well as reinforcing the message that the company’s Code of Conduct calls for all employees to use these tools;
• (5) Prompt responses to reports: when compliance and/or HR reports are made, it is critical that the company investigate promptly and thoroughly, and that it communicate regularly and effectively with the employee making the report, so that potential issues are seen to be receiving appropriate attention, concerns do not fester, and small problems do not grow, through inattention, into major issues;
• (6) Exit procedures: whenever an employee is exiting from the company, the exit interview should include a compliance component that solicits a report by the exiting employee of any compliance issues, which can then be documented and followed up;
• (7) Supervisory training: supervisors should receive special training to teach them how to encourage self-reporting by employees of possible compliance violations and to avoid engaging in any form of retaliation or discrimination against employees who do make such reports; and
• (8) Incentives to report to the company: at least in some cases, it may be advisable – for example, in response to questions that may be raised by employees — to remind them that the new SEC rules actually contain several significant incentives for employees to first report their concerns to the company: (i) if they report first to the company, and then either the company or employee reports to the SEC within 120 days of that first internal report, the employee’s “place in line” will date from his/her first internal report to the company; (ii) if a monetary sanction does result, the final SEC rules say that employee will likely get a larger reward (within the 10% to 30% range) if they reported first to the company (and less if they didn’t); and (iii) if the company ultimately reports to the SEC a broader set of concerns than the employee initially had, the employee will get full credit for the entire set of concerns reported by the company.

Reminding employees of these rules will not only increase the chances that employees will decide to first report their concerns to the company, it will also provide a well-documented record of the company’s good faith effort to establish a culture of compliance – which can have an enormously positive impact on the thinking of SEC enforcement lawyers, prosecutors and other regulators if an investigation does arise. One final element also has not changed: if and when a company decides to self-report to a regulator, or if the SEC gives a company notice of a whistleblower report and asks the company to respond, as it has said it will likely do in many cases, a company’s ability to maintain credible and effective lines of communication with the SEC staff will remain critically important.