So much of the architecture of corporate governance has been the subject of recent federal reforms (SOX, Dodd-Frank, FCPA expansion, etc.) that it is easy to forget that those enactments leave a lot of the governance landscape unaddressed. Clearly, federal requirements for compulsory CEO and CFO financial statement certifications, automatic clawback of senior executive stock option grants following restatement of financials, expanded MD&A and CD&A disclosures, say-on-pay voting requirements, board committee charter mandates, federal one-size-fits-all proxy access rules (that have been blocked in court from implementation), new federal whistleblowing protection schemes, and other federal reforms have reshaped many of the peaks and valleys of corporate governance and are covered at length in this handbook.
However, directors’ robust exercise of their oversight responsibilities depends on much more than taking into account those federal promontories and gullies. Arguably, some of the most important director oversight functions, such as CEO succession, conflict of interest avoidance, strategic risk assessment, capital allocation and employee retention occupy large spaces in the governance landscape that are only indirectly touched by headline-fetching federal reforms. Yet those other key oversight responsibilities might easily become neglected lacunae in the landscape if they are overshadowed by the burden and time devoted to regulators’ mandates.
Consequently, well apart from regulatory guidelines and headline pressures that structure many board tasks, directors also need to devote the self-disciplined effort requisite to fulfilling those fundamental oversight duties.
1. Mind the Gaps
Directors are not expected to involve themselves in the day-to-day operation of a business. However, without trying to second-guess every management decision, directors must exercise sufficient vigilance, judgment and experience so as to recognize a red flag (or indeed even a yellow flag) and ask questions. The answers to the questions, or lack thereof, will build insight, which will in turn inform oversight. But how are directors to know where to search for flags? Is it simply a matter of common sense, or can the search be structured?
One way to structure vigilance is to be on the lookout for gaps in relevant oversight protocols or processes. A director must ask if there is a check or balance against undue risk-taking or compliance failure, and ascertain who owns that check or balance role. Is the responsible person independent of the function being checked? If not, there is a gap.
One such gap is that between external audit and internal audit examination of certain key business practices, such as the stock option backdating practices that sparked controversy in 2006 and 2007. There, regulators discovered that neither external nor internal audits of stock option practices were checking for compliance with the APB 25 requirement that option grants be priced on the grant date. Although companies stepped up efforts to tighten option grant practices, there continue to exist other external/internal audit “gap” areas.
Another audit gap involves examination of the scope of sales contracts. Many companies, such as software developers, use license agreements in their sales process. Directors typically assume that either the external or internal audit will examine the duration and breadth of the license agreements to detect red flags, such as the risk posed by an overly broad scope. However, if a sales license is executed and recorded in the appropriate quarter; if the product is shipped in a timely fashion; and the receivable is recorded and paid in full, an external audit may never check whether the breadth and/or duration of the license is so broad as to preclude future sales of the same functionality or product family to the client.
If the license agreement generates significant revenue when the contract is executed, or includes an automatic subscription renewal, it generates large sales commissions for the sales group who made the sale, and thus may not raise any flag during an external audit and very likely may not be part of the internal audit’s periodic review calendar. Why? Because if the license is paid in accordance with its terms, the decision to “sell away” future revenue prospects may be considered a business decision and not an audit judgment.
Once identified, a gap like this is readily addressed. But identification starts with making no assumption that there exists a check or balance, and by asking what the check and balance is, who owns that responsibility, and by identifying whether that person or unit is independent of the sales originator.
A much larger gap is the one associated with companies that benefit from sales of legacy product upgrades and enhancements, especially where the installed base is large and “sticky.” While this might smack of “crying over spilt caviar,” the tyranny of an installed base has long dogged many manufacturing companies. Consider the manufacturers of photographic film. These companies were well-positioned and had every incentive to understand and embrace digital photography, but were hobbled by the demands of their installed customer base and cash cow capital equipment that slowed their response to the competitive threat. Directors of such companies had to contend with the demand for short-term profits that kept them from making large R&D expenditures.
This constant pressure to avoid a quarterly EPS expectations “gap” can lead to technological obsolescence and/or “catch-up M&A” decisions made years later than the initial R&D opportunity and at a far greater cost. Al-though the M&A capital expense is treated differently and more forgivingly by “The Street” than R&D operating expenses, the proper balance is not necessarily EPS “expectations gap” management through deferred R&D. An independent director’s wisest course of action, and the one most likely to enhance shareholder value, may be to call for rigorous assessment of perceived technological gaps with R&D/M&A cost comparative trade-offs (looking backward and forward).
This director oversight role involves more than a knee-jerk “build versus buy” response. Great companies, and great directors, vigilantly track competitive product developments and innovations looking for disruptive technology threats and opportunities.
The challenge for directors is to add structure to the way boards assess such developments, in particular by unbundling three distinct questions that, if blurred together impede or even block board decision-making: (1) Corporate structure or governance; (2) product (or service) innovation; and (3) employee incentives and retention. A board discussion that mixes innovation brainstorming with considerations of corporate structure and governance (Who? How? Where in the organization?) and employee incentives (How to nurture innovation? How to retain the innovators?) could grind to a halt if directors do not sequence their oversight tasks by putting innovation before incentives and incentives before governance.
This task is made more complicated by the fact that existing business units may not neatly fit innovation needs and existing incentive structures may be too one-size-fits-all to promote disruptive product change. Yet, there are in the marketplace successful models of companies and boards that have isolated innovative needs, nurtured them, and transformed (not merely adapted, but transformed) corporate governance to foster the new while preserving the existing (presently best but soon to be only “good enough” technology). Such transformation can involve carving out equity in new venture subsidiaries that focus strategy, accountability and stock performance on the innovation sponsored by the parent. In any event, directors play a critical, value-enhancing role by structuring (in this example, sequencing) board consideration over time of how to optimize innovation oversight.
Finally, there are a number of potential personal gaps that directors should address. Directors need to be sure that they appropriately protect the information they receive and that they recognize when it creates a conflict of interest for them. In particular, they need to receive the information about the company whose board they sit on (Company A) in a manner that protects its confidentiality, for example, through a Company A password- protected website or at a Company A email address—not at their day-job (Company B) email address. Furthermore, if a potential business project should arise that could be advantageous to both Company A and Company B, or if confidential information about a business prospect is conveyed to the director in his or her capacity as an employee at Company B, the director needs to inform Company A’s board that he or she must recuse himself or herself from Company A’s consideration of the prospect, and continue to do that unless or until Company B passes on the matter. (For further discussion on this topic, see Chapter 1.)
2. Can You Hear the Whistle Blow?
If you miss the train I’m on,
You will know that I am gone,
You can hear the whistle blow a hundred miles…
(Hedy West, “500 Miles”)
Following a 3 to 2 vote in mid-2011, the SEC implemented new rules for Dodd-Frank Act “whistleblower” incentive payments and whistleblower anti-retaliation protections. Under the new rules, employees are free to bypass corporate compliance programs in pursuit of whistleblower award riches constituting no less than 10 percent and up to 30 percent of total monetary sanctions imposed in an SEC enforcement action. They may confidentially and anonymously tip the SEC without notifying their employer.
To trigger a whistleblower bounty, SEC enforcement need only have been prompted by a whistleblower’s tip, provided that tip is either a small but early stimulant or an important enough piece of information to the overall scenario ultimately assembled by the SEC. Alternatively, whistleblowers who report their tips internally to corporate compliance programs will be credited by the SEC with potentially all information subsequently reported by their company following an internal investigation initiated in whole or in part by the employee’s actions, even if the company reported information that goes well beyond the information reported by the whistleblower, provided the whistleblower provides the tip to the SEC (confidentially and without necessarily informing the employer of doing so) within 120 days of apprising the company. 
Compliance personnel and auditors who are otherwise ineligible for whistleblower bounties but “reasonably believe” that tipping the SEC is necessary to prevent substantial injury to the company or investors, or who believe that the company “is engaging in conduct that will impede an investigation of the misconduct” are eligible and free to tip the SEC without informing the company.
In light of the fact that SEC enforcement settlements against issuers have risen into the $50 million to $150 million (or greater) range, corporate compliance processes must be adapted to this new dynamic. Given the non-empirical way that the SEC has gone about fashioning these rules (after all, the SEC was tipped to the Madoff scheme without offering any whistleblowing carrot and did nothing about it), and given the level of outcry upon their adoption, directors overseeing compliance processes may welcome some practical discussion of how to adapt existing best practices to this development and how to think about a court challenge to a key aspect of the rules.
In 1990, the Penny Stock Remedies Act gave the SEC authority to seek civil money penalties in enforcement cases, and in 2002, Section 308 of the Sarbanes-Oxley Act changed the disposition of penalties to make penalties as well as disgorgement components of Fair Fund distributions to securities violation victims. SEC enforcement monetary sanctions skyrocketed. However, the legislative history of those same penalty provisions strongly suggests that Congress did not intend that a corporation’s current, innocent, shareholders bear the cost of corporate penalties. 
In 2006, the SEC published a policy statement in defense of its financial penalty methods.  It has been criticized: In 2009, a U.S. Government Accountability Office report recommended reexamination of whether the SEC methodology is effective in achieving its stated “deterrence” goals.  Courts approving recent SEC enforcement settlements have also questioned the logic of imposing the cost of corporate penalties on current shareholders—as contrasted with penalties imposed on responsible decision makers within the company.  Such skepticism is compelling where the underlying conduct is neither systemic nor readily detectible even by best practice compliance programs, because corporate (as contrasted with individual) penalties do not “deter” entities already energetically attempting to comply with the securities laws. The SEC is expected to revise its policy statement on penalties in light of those developments. However, the new whistleblower rules suggest that nothing very constructive should be expected from the SEC.
Under the SEC’s new Dodd-Frank Act Regulation 21F (effective August 12, 2011),  whistleblowers may now report any knowledge of possible violations of federal securities laws, regardless of any confidentiality obligation to, or written agreement with, their employer, customer or supplier. They may also provide the SEC with information obtained under seal in a civil litigation (e.g., between an issuer and a customer), even if that information belongs to a third party and is itself subject to a judicial or administrative civil protective order designed to block its disclosure. The whistleblower does not have to inform the employer of doing so.
Whistleblowers are protected against employer retaliation, and it is assumed that a state law policy of protective order confidentiality would not overcome the federal interest in incentivizing people to provide a tip to the SEC. Furthermore, regardless of state law, and even if the whistleblower’s employer is represented by counsel (as publicly traded corporations universally are), the SEC may communicate with the whistleblower without notifying the employer’s counsel.
To be eligible for a whistleblower award, the whistleblower must provide the SEC with all information and documents related to the initial tip in his or her “possession.”  Whether or not the employee’s possession of corporate or third-party documents is lawful such that he or she may provide them to the SEC without the owner’s consent and with impunity from state law misappropriation claims is not addressed by the Act. Also unaddressed is whether and how the SEC staff can screen for attorney-client privilege if the whistleblower fails to identify or misidentifies the ultimate source of the tipped information.
If a domestic court determines that whistleblower information has been obtained “in violation of federal or state criminal law,” the information will not qualify as “original information” that a whistleblower can confidentially report to the SEC without notice to the employer and under protection from employer reprisal.
The Implementing Release to Reg. 21F notes that the SEC rejected proposals asking that Reg. 21F address whether the employee “possesses” the employer’s documentary or intangible information, observing only that the SEC believes employers’ trade secret or commercial property value concerns are outweighed by law enforcement policy goals.
The Implementing Release states that corporate confidentiality cannot prevent employees from providing information to the commission without a subpoena and without notice to the employer: “We caution employers that, as adopted, Rule 21F-17(a) provides that no person may take any action to impede a whistleblower from communicating directly with the Commission about a possible securities violation, including by enforcing or threatening to enforce a confidentiality agreement.” 
Whether, how and when issuers and auditors could challenge a whistleblower providing copies of documents to the SEC is discussed below. First, however, let’s consider how internal compliance processes need to adapt to Reg. 21
3. Adapting Corporate Compliance Processes to SEC Whistleblower Challengers
The rules’ two fundamental elements, “carrot” and “content,” can be used to implement three recommended adaptations to internal corporate processes: (1) Revised dialogue; (2) revised documentation; and (3) accelerated timetable.
3.1 Addressing the Carrot and Content
Addressing the carrot entails recognizing that a whistleblower’s pursuit of a monetary reward depends on (1) the SEC opening an investigation, that (2) is based on the whistleblower’s information (not otherwise known to the SEC) which (3) leads or significantly contributes to the success of a judicial or administrative SEC enforcement action that (4) results in monetary sanctions (penalties or disgorgement and interest) exceeding $1 million. Addressing the content entails using the company’s comparative advantage over the SEC in gathering internal information to minimize the “value-add” of a whistleblower’s tip to the SEC and maximize the value-add of self-reported information.
3.2 Coincident, Competing and Conflicting Interests
In one fell swoop, the SEC’s whistleblowing rules touch off within the mind of potential whistleblowers a series of incentives that are, in turn, coincident, competing and conflicting with the interests of his or her employer. Whistleblowers may decide not to internally report the issue and instead contact the SEC directly because: (1) They fear reprisal, despite the fact that that reprisal is both inappropriate and counterproductive as a matter of corporate policy, and despite the fact that Reg. 21F itself prohibits reprisal; (2) they are distrustful that the company will take action (clearly contrary to company’s best interests); (3) they believe they may have some culpability and seek personal advantage by tipping first (ditto); and (4) they think the prospect of a bounty is greater if the company does not self-report in an attempt to avoid SEC penalties (which the whistleblower hopes to significantly share in, directly in conflict with company and shareholder interests in minimizing penalties).
Alternatively, an employee may decide to inform the employer, wait up to 120 days to see what happens, and still confidentially tip the SEC to try to secure whistleblower entitlement to an award based on information subsequently reported to the SEC by the employer, even if it was not developed from the tip.
3.3 Revised Dialogue and Documentation
What to do? Companies can diminish the lure of the SEC’s whistleblower incentive by adding clear messaging and iterative steps to their extant internal compliance hotline tip protocols. Best practice corporations already cultivate a tone at the top of integrity and vigilant compliance with highest ethical standards which are projected throughout the corporation. But in light of the altered incentives of Reg. 21F, compliance hotlines and similar protocols now need to be more than one-time channels of employee input that are confidential, anonymous (if desired), secure, privileged, acted upon, and valued by all concerned. Those elements alone are necessary, but now may not be sufficient to minimize exposure to SEC penalty.
Companies can aspire to do more than before, and in attempting to do so, can improve potential Reg. 21F impacts. Specifically, issuers can amend hotline procedures to stimulate a superior, iterative information flow akin to (though distinct from) a dialogue. This can occur in several ways, but the simplest example is a confidential internal tip process that, by using reverse FAQs, prompts employees not only to confidentially provide information about possible securities violations, but also encourages and structures iterative privileged follow-up information-gathering from the informant, while preserving anonymity and confidentiality.
Reverse FAQs refers to taking the concept of frequently asked questions on a pull-down menu with associated answers and reversing the dynamic. In addition to free-form input from the employee who accesses the hotline or another confidential employee alert input mechanism, that same employee can be prompted by a set of questions to provide additional information to the company’s internal counsel, such as: (1) Is the matter you’re raising currently ongoing? (2) Do you believe this to be a single incident or more than a single incident? (3) Have you discussed this issue with your supervisor, and if not, do you have any concern about doing so? (4) Is your communication today about a transaction (for example, a customer order or sale)? If so, what can you tell us about it? (5) What is the nature of the misconduct you observed? (6) Do you believe that someone misapplied a methodology (such as an accounting rule or guideline)? If so, please describe what you understand the issue to be. And so on.
These iterative queries build a data base, if answered, and build a record that the company has a method of outreach, if not. A balance must be struck, depending on facts and circumstances, such that the issuer’s desire for follow-up and for more information does not compromise an employee’s interest in anonymity of input. Although anonymity encourages input by those who (rightly or wrongly) fear reprisal, it limits verification. Of course, employees with an axe to grind may input false leads, as is inherent in any hotline process. But the degree (and quality) of responses to an iterated menu of questions can aid in assessment of whether the tip appears to be bona fide.
Robustness of hotline reporting also can be enhanced if the reverse FAQs contain links to company policy statements related to the iterated inputs. Links can be added to précis of the company’s policies on sales contract “side letters,” rights of return, cancellation rights, payments or gratuities to customers, as well as links to précis of key methodologies such as quarterly sales cut-off practices, the application of stock option guidelines, capital versus operating expense nomenclature and classification, sales through reseller protocols, software development cost classification, and so on. Such guidance may lead to better informed or more focused inputs.
Combining this encouragement of and receptivity to richer information about possible compliance failures accomplishes several things: (1) It may result in better or more complete information on which to act, or result in a judgment that no action is warranted; (2) it signals employees that the corporation is energetic about detecting violations; (3) it can be accompanied by clear messaging that the corporation will self-report to the SEC credible information about material misconduct; and (4) it positions the company with a robust record that it has an energetic method of outreach, in the event that a whistleblower ignores the company’s processes and tips the SEC without a heads-up to the corporation.
Companies can also diminish the Reg. 21F bounty incentive by alerting employees that the company self-reports to the SEC credible information about possible securities law violations it becomes aware of. That message from the top (part of conveying how “tone at the top” permeates the company culture) can state explicitly that the company’s self-reporting serves two purposes: (1) It implements corporate adherence to ethical and securities law compliance; and (2) it benefits shareholders by reducing the likelihood of SEC enforcement action (and penalties) which burden shareholders with costs that can be avoided by strong ethics and strong compliance.
You may now be thinking, but there’s the rub: Reminding or alerting an employee who is eyeing a whistleblower bounty that company self-reporting can reduce SEC penalties is a disincentive to the employee to provide input through company processes. Yes—unless there is something in it for those employees who need more than do-the-right-thing motivation to overcome the lure of potential whistleblower riches. In that regard, issuers can and perhaps will adopt policies that reward employees who bring observations of misconduct to the attention of decision-makers, including acknowledging and rewarding employees whose input led or contributed to successful internal investigation and self-remediation. In fact, if in some instances that acknowledgment itself is announced internally but the source remains anonymous as part of the corporate message that the “hotline works” to support the code of conduct, it will increase the risk of detection in the minds of potential wrongdoers, who will have less confidence that they can get away with misconduct and more concern that anyone could be watching for serious departures from codes of conduct.
Under Reg. 21F, if the whistleblower chooses to report the matter internally, he or she need not advise his or her employer of having tipped the SEC. If an employee reports the issue internally and identifies himself or herself, should the company ask if he or she has informed any regulator? Probably not; it may cause an employee to contact the SEC who otherwise would not have done so. It could also be viewed by the SEC as inconsistent with Reg. 21F’s encouragement of direct ex parte confidential employee contact with the SEC. Reg. 21F encourages the whistleblower, after contacting the SEC, to provide “ongoing, extensive and timely cooperation and assistance” to the SEC including “by, for example, helping to explain complex transactions, interpreting key evidence, or identifying new and productive lines of inquiry.”  If, instead of asking the employee about contact with the SEC, the employer lets the employee know that it treats hotline inputs seriously and self-reports to the SEC in appropriate circumstances, that will build a record if the employee has or will tip the SEC, and it sets the stage for internal compliance follow-through. (Note that employees are not eligible for a whistleblower award based on information they learn from an internal compliance review. )
It is important to note that company follow-through on hotline inputs must occur on an accelerated timetable.
3.4 Accelerated Timetable
Consider these logistics: First, only 40 days are allowed between the end of a quarter and the filing of the company’s Form 10-Q. Second, the company’s auditor must sign off on its SAS 100 quarterly review of the 10-Q’s financial statements, but will not do so if there is a pending inquiry or review of a potentially material accounting issue (even if related to a prior period). Third, stock exchanges commence delisting proceedings if the Form 10-Q is not filed in a timely manner or no later than a single five-day extension.
These deadlines constrain companies that receive an internal hotline tip with information that could lead to a material accounting error or irregularity. The judgment of whether a hotline tip is potentially material or involves an illegal act is a difficult one. Once made, the auditor must be promptly notified. The auditor will withhold SAS 101 sign-off on the quarter, triggering the need for accelerated review by the audit committee to attempt to resolve the question before the 10-Q filing deadline. Meanwhile, an employee who uses the company hotline has 120 days (less than the time from the beginning of the quarter to 10-Q filing) to notify the SEC.
Internal hotline monitoring and review must thus take into account that serious issues are best self-reported to the SEC no later than the point at which a timely 10-Q filing (and SAS 101 auditor review sign-off) are potentially in doubt, both to demonstrate company vigilance and to minimize SEC enforcement and sanctions risk should a financial statement restatement ultimately be required.
3.5 Protecting Attorney-Client Privilege
Generally speaking, a whistleblower will not be eligible for an award for providing the SEC with information obtained through a communication that was subject to the attorney-client privilege (Rule 21F-4(b)(4)). However, the SEC refused to take steps in Reg. 21F to protect against whistleblower misuse of attorney-client privileged communications.
If an employee discloses privileged information to the SEC confidentially (and perhaps anonymously), the SEC is not obligated to notify the company. Moreover, under Reg. 21F, the SEC may reach out ex parte to that employee for follow-up conversations and submissions. The Implementing Release to Reg. 21F states only that “nothing in this rule will authorize the staff to depart from the Commission’s existing procedures and practices when dealing with potential attorney-client information, citing SEC Division of Enforcement Manual § 4.” 
However, nothing in the manual addresses how the SEC is to determine, based on an ex parte communication, whether or not the information is privileged. Because the SEC staff does not vet the privilege issue with the company, it should not be able to assert waiver, nor be permitted to rely on the information. (Note that to invoke the crime-fraud exception, the SEC would have to show that the information itself is in furtherance of a crime or fraud, not merely that it might provide evidence of a crime or fraud—as even the SEC manual acknowledges.) However, that is of little comfort once privileged or misappropriated information has prompted SEC curiosity.
Knowing disregard of privilege by SEC staff of a company that has strong hotline-self-reporting compliance practices could be the basis for a Wells Submission (directed especially to those commissioners who opposed Reg. 21F as proposed) to ask the commission to refuse a staff enforcement recommendation that condoned overbroad tactics in disregard of corporate initiative. However, this assumes that the company learns that the SEC staff has received privileged documents, which may not occur until discovery in an enforcement action. This troubling possibility further supports court challenge to Reg. 21F’s ex parte provision of corporate documents, or identification of the location of corporate documents, as discussed below.
4. Challenging Whistleblower Rule Methods
4.1 A Possible Business Records Protocol
Also unresolved by Reg. 21F is whether employers may do something far short of enforcing confidentiality obligations without being deemed to have “interfered” with an employee’s direct communication with the SEC. Specifically, can employers require or request, as matter of an employer’s own compliance policies, that the employee provide the employer with notice and copies of any documents that are provided to the SEC? This question should be tested, or perhaps raised with the SEC staff by issuers and auditors as follow-on to their rule comments.
The distinction is that anonymous confidential ex parte oral communication with the SEC differs from provision of the employers’ business records to the SEC. Of course, the SEC will argue that if an employer were to require or request that copies of documents or data files provided to the SEC be also provided to the employer, it could undercut whistleblower confidentiality and anonymity, subject the employee to potential retaliation, and discourage whistleblowing in the first place, because the documents may identify or be traceable to the whistleblower employee.
But this is not a question of retaliation, or prohibition. To prohibit a company from adopting its own notice provision of such use of its documents, especially where it has a robust hotline program, would be a form of governmental intrusion based on the thinnest (ends justify the means) premise that willfully disregards hotline practice. In contrast to Reg. 21F, to be eligible for a whistleblower award under the False Claims Act, a qui tam relator must file a federal court complaint and also allege fraud with specificity as required by Federal Rule of Civil Procedure 9(b); whereas, a Reg. 21F award requires no court filing, and only a confidential form completed under penalties of perjury which ties the informant to SEC mandates and control but involves no court role.
Issuers and auditors should collectively propose to the SEC that its staff raise no objection to companies adopting a business records notice protocol as part of their compliance programs. The protocol would request that employees provide to the compliance group copies of any business records submitted to a regulator, absent evidence that the compliance process is untrustworthy. The business records notice protocol would cover all documents proffered by a whistleblower, which would avoid unreasonable seizure of papers and protect against the possibility of inadvertent (or other) provision to the SEC of documents reflecting privileged communications (see below).
The SEC rejected issuer and auditor comments on proposed Reg. 21F that would have required employees to first report their information to the employer compliance hotline or similar channel, which would have given such notice. There is no strong reason to believe that a corporate compliance business records notice protocol would be acceptable to the SEC. However, the Dodd-Frank Act requires the inspector general of the commission to submit a report of findings of experience under the whistleblower provisions no later than January 2013. One remarkable aspect of that report is that it is requested to address for Congress whether a qui tam-like private right of action regime should be established for SEC whistleblowers. That troubling notion should motivate issuers and auditors to build a record of proposed implementive protocols (such as a business records notice protocol) which assert the property right in business records and affirm the procedural initiative of best practice companies to self-police securities law compliance through protocols such as the one suggested above. SEC rejection of such a proposed protocol also could be a helpful factor (though not prerequisite) in a court challenge.
4.2 Court Challenge?
The Foreword to the 2011 edition of this handbook offered a detail summary of the SEC’s new Proxy Access Rules.  A subsequent court challenge to the SEC’s authority to adopt the rules blocked their implementation. Corporate directors’ collective legal action through the U.S. Chamber of Commerce and the Business Roundtable helped prompt that legal challenge.
So consider this: Reg. 21F offers whistleblower bounty and retaliation protection to confidential informants who provide the SEC with copies of corporate documents (and/or identify the location of documents) without notice to the firm, even if the firm’s internal compliance processes are robust. Yet, when a law enforcement officer acting without a warrant pays or offers to pay someone to act as the government’s agent to hand over evidence (drugs, weapons, documents) obtained from an unsuspecting person, courts have found such means to be a constitutionally unreasonable seizure. It would thus not be surprising to see a court challenge to the Reg. 21F provisions regarding conveyance of corporate documents by whistleblowers to the SEC.
Under the Fourth Amendment, a seizure “occurs when there is some meaningful interference with an individual’s possessory interests in that property” by governmental action.  When a private individual acts as an agent of government, the Fourth Amendment applies. The basic question is whether Reg. 21F’s combination of whistleblower incentives, procedures and protections transforms employee conduct in providing employer documents to the SEC into an unconstitutional government search. Both schemewide (facial) challenge and as-applied challenge (including exclusionary rule application) may occur.
Surprisingly, there are few court decisions interpreting the somewhat analogous False Claims Act (FCA), addressing whether a relator who provides documents to the Government under a regulatory scheme of government monetary encouragement and protection becomes a “state actor” or agent for Fourth Amendment purposes.  Most circuit courts outside the FCA setting apply a two-part standard to determine whether a private citizen has become a state agent: “(1) Whether the government knew of and acquiesced in the intrusive conduct, and (2) whether the party performing the search intended to assist law enforcement efforts or to further his own ends”. 
Another way of saying this is to ask whether there is a sufficiently “close nexus” between the government and the challenged action, such as through significant encouragement, such that “the choice must in law be deemed to be that of the State.” 
With those standards in mind, let’s lay out Reg. 21F’s pertinent elements, compare them to FCA relators and to other individuals and schemes that courts have determined involve state action, and then contrast Reg. 21F’s elements to individuals (bail bond bounty hunters and IRS informants) whom courts have determined do not act under “color of law.”
4.3 Key State Act Elements of Regulation 21F
4.3.1 The Whistleblower’s Guaranteed Share 
The very purpose of Reg. 21F is to incentivize action by private individuals for government use with a guarantee of at least 10 percent of monetary sanctions exceeding $1 million if eligibility criteria are met. Further, the whistleblower receives a guaranteed award only if the government itself receives a payment. The larger the sanction, the more the government and whistleblower share.
4.3.2 Protection from Retaliation
Whistleblowers are both incentivized and protected by the Government against retaliation by their employers, even if their provision of documents to the SEC violates civil law or a protective order. In fact, the SEC itself backstops the protection; it (as well as the individual) may bring an action for violation of whistleblower protections. 
4.3.3 Original Information Requirement
In order to qualify for an award, a whistleblower must provide the SEC with information it does not already have, and must not provide it to anyone else, except perhaps to an employer (should the whistleblower choose).  This aligns the interest of the government and employee in action vis-à-vis the employer.
4.3.4 Mandatory Description of Supporting Materials and Location
To qualify for an award, whistleblowers must submit a Form TCR, which requires the whistleblower, under penalty of perjury, to “[d]escribe all supporting materials in the complainant’s possession and the availability and location of any additional supporting materials not in complainant’s possession.” 
Form TCR also requires whistleblowers, under penalty of perjury, to “[i]dentify with particularity any documents . . . in your possession. . . .” 
These requirements speak for themselves in terms of state action: The SEC is not merely passively listening to (or for) what an informant might say, but actively structuring and mandating as principal what its agent must do.
4.3.5 More Information Results in Larger Awards
The information provided by the whistleblower must be specific and credible, and/or significantly contribute to a government investigation. Moreover, a whistleblower’s award can increase with ongoing, extensive, and timely cooperation.
Significantly, the rules also incentivize ongoing ex parte SEC communication with the whistleblower whose cooperation and assistance “by, for example, helping to explain complex transactions,”  which underscores the intertwining of SEC and whistleblower action. Even if provision of documents pursuant to Form TCR were not state action (as it arguably is), the follow-on ex parte entanglement of the SEC and whistleblower is a considerable level of state action.
4.3.6 Sworn in without Instruction
As noted above, Form TCR is a sworn statement, yet whistleblowers receive no instructions on how to use their power appropriately, such as how to avoid misappropriation of property or waiver of privilege, maintain candor with employers, etc. This governmental use of individuals to obtain documentation without defined guidance creates a broad scope of governmental involvement through the agency of people unconstrained by a principal’s prescribed direction, rendering the principal’s reach unlimited.
Let’s look at these Reg. 21F elements under Fourth Amendment tests. There are important Supreme Court cases cautioning that “no precise formula” exists for recognition of state responsibility through an individual agency,  and that facts and circumstances, including questions of individual intent, can be weighed against facial challenge to the validity of some public-private coordinated activities (through licensure for example). Nevertheless, where there is a “close nexus” between the government and the challenged action, a statutory scheme will be found to be a violation of rights.
The Supreme Court reviewed the application of the Fourth Amendment to private searches in connection with statutory schemes in Skinner v. Railway Labor Executives Ass’n.  There, the Federal Railroad Safety Act of 1970 granted the Secretary of Transportation authority to impose regulations to assure the safety of railroads. As an example, in order to prevent substance abuse by railroad employees, Federal Railroad Administration regulations authorized, but did not require, railroads to sample employee blood and urine if they “violate[d] certain rules.” The fact that the government had “not compelled a private party to perform a search” did not, by itself, render the search a private one. Rather, the Court considered “clear indices of the Government’s encouragement, endorsement, and participation,” the fact that employees could not decline a request to the private tests, that employees could be terminated for refusal, and that the Government “made plain not only its strong preference for testing, but also its desire to share the fruits of such intrusions.” The Fourth Amendment applied.
Regulation 21F’s scheme, like the scheme in Skinner, is permissive. Employers under Reg. 21F (like the employees in Skinner) subject themselves to adverse consequences if they terminate a whistleblower because he or she provided documents to the SEC. Employees (like the private railroads in Skinner) forfeit benefits (rewards, protection) of the regulation if they do not embrace the government’s methods as their own. Reg. 21F’s “original information,” “sufficiently specific,” “timely” and “credible” criteria and “location” of documents inquiry all evidence strong, governmental preference for private searches for information not otherwise obtainable. Indeed, since the government’s goal is to prevent securities fraud, the information itself needs to be useful for its purpose, and whistleblower secrecy reduces the risk of detection by wrongdoers. In contrast to bail bond cases  (where the law is in flux and includes interpretation of the role of the bondsman’s private contract) and to IRS informant cases  (where there is no government guaranteed payment under IRS discretionary award practice), Reg. 21F implements a statute that creates and guarantees a minimum award, as a shared governmental, not private, ordering.
It might be suggested that “state action” determination is often so facts-and-circumstances specific that as-applied rather than facial adjudication should be considered. However, the Reg. 21F scheme’s six factors listed above are unchanging. Any as-applied challenge by a corporation to Rule 21F likely would come after one or more cats are out of the bag—that is documents misappropriated, privileges disregarded or unsuspecting fellow employees asked by a whistleblower for follow-up information at the SEC’s request.
The SEC has taken the position that the exclusionary rule should not apply to its enforcement actions. If this position is upheld, material provided by the whistleblower could be admitted into evidence at trial. The courts have largely avoided the question to date. However, in OKC Corp. v. Williams, a Texas court held, against SEC opposition, that the exclusionary rule would apply to an SEC enforcement action where the SEC sought to use an outside counsel’s investigative report obtained in violation of the company’s Fourth Amendment rights where SEC employees were directly or indirectly “involved” in the search. The court found that the exclusionary rule’s deterrent purpose was fully applicable if an SEC employee “actively participated in a private party search, or st[ood] by watching it with approval, and then reap[ed] the benefit,” or it occurred “under the active supervision of the governmental authority.”  Regulation 21F provides a focused opportunity to address this question.
Obviously, in an SEC enforcement action, where it ultimately comes to light that a whistleblower provided copies of company documents to the SEC pursuant to Reg. 21F protocols, an issuer could then challenge the application of the Regulations and move to exclude the documents and information flowing from them. By that time, however, the company likely faces case-specific pressures to resolve the matter. Given how few actions are tried to verdict, there is little present likelihood of early resolution of these questions absent a facial challenge.
 This elastic feature, Rule 21F-4(c), was explained after the comment period. The Implementing Release states that if: “(1) a whistleblower reports original information through his or her employer’s internal whistleblower, legal or compliance procedures before or at the same time he or she reports them to the Commission; (2) the employer provides the Commission with the whistleblower’s information or with the results of an investigation initiated in response to the whistleblower’s information; and (3) the information provided by the employer to the Commission ‘led to’ successful enforcement under the criteria of Rule 21F-4(c)(1) or (2) . . . then the whistleblower will receive full credit for the information provided by the employer as if the whistleblower had provided the information to [the SEC]”. Implementation of the Whistleblower Provisions of Section 21F of the Securities Exchange Act of 1934, Release No. 34-64545 (SEC June 13, 2011) (“Implementing Release”) at 101 (emphasis added).
 S. Rep. No. 337, 101st Cong. 2d Sess. at 17 (1990).
 U.S. Sec. and Exch. Comm’n, Statement of the SEC Concerning Financial Penalties (Jan 4, 2006).
 U.S. Gov’t Accountability Office, GAO-09-358, U.S. Sec. & Exch. Comm’n: Greater Attention Needed to Enhance Communicatin and Utilization of Resources in the Division of Enforcement 51 (2009).
 See SEC v. Bank of Am. Corp., Nos. 09 Civ 6829 (JSR), 10 Civ. 0215 (JSR), 2010 WL 624581, at *16-20 (Feb 22, 2010) (criticizing, but approving $150 million settlement, noting that a fine assessed against the issuer, taken by itself, penalizes shareholders).
 Securities Whistleblower Incentives and Protections, Securities Exchange Act No. 34-64545, 76 Fed. Reg. 34300 (June 13, 2011).
 Rule 21F-8(b). Implementing Release at 32 n 75.
 Implementing Release at 33 n 76. The Implementing Release states, “We have determined to exclude (subject to exceptions set forth in these rules) only information received in breach of the attorney-client privilege, not other confidential relationships recognized at common law.” Implementing Release at 54 n 117 (emphasis added).
 Implement Release at 256.
 But see footnote 1 above.
 Implement Release at 202.
 The 2011 Foreword can be found on the companion CD.
 United States v. Jacobsen, 466 U.S. 109, 113 (1984).
 See Isaac Rosenberg, Raising the Hue . . . And Crying: Do False Claims Act Qui Tam Relators Act Under Color of Federal Law?, 37 Pub. Cont. L.J. 271, 300 (2008) (stating that the “state action theory has not been raised to challenge any FCA investigations of record”).
 United States v. Miller, 688 2d 652, 657 (9th Cir. 1982) (citations omitted).
 Brentwood Acad. v. Tenn. Secondary Sch. Athletic Ass’n, 531 U.S. 288, 295-296 (2001); Blum v. Yaretsky, 457 U.S. 991, 1004 (1982).
 Rule 21F-3. See also FCA § 3730(d), 31 U.S.C. § 3730(d).
 Implementing Release at 18. See also FCA § 3730(h), 31 U.S.C. § 3730.
 Rule 21F-9. See also FCA § 3730(e)(4), 31 U.S.C. § 3730(e)(4).
 SEC Form TCR ¶ 9.
 SEC Form TCR ¶ 11.
 Rule 21F-6(a)(2)(i).
 Brentwood, supra, 531 U.S. at 295-296.
 489 U.S. 602 (1989).
 See e.g., Ouzts v. Md. Nat’l Ins. Co., 505 2d 547, 551 (9th Cir. 1974).
 See e.g., U.S. v. Snowadzki, 723 2d 1427 (9th Cir. 1984).
 OKC Corp. v. Williams, 461 Supp. 540, 548 (N.D. Tex. 1978).