As a public company executive officer or general counsel, how should you deal with a disgruntled employee who is or could be an award-seeking SEC whistleblower?
The short answer is, of course, very carefully. For the longer answer, read on.
The SEC’s Cultivation of Whistleblowers
Corporate managers and the SEC tend to have very different views of employees complaining of possible violations. Corporations frequently have painful experiences with troubled employees who see violations that don’t exist. Although the SEC has had similar internal experiences, when it comes to employees of public companies and financial institutions, the SEC is, in the first instance, inclined to believe the employee and not the company.
The Commission and its enforcement staff are unabashedly enthusiastic about rewarding and protecting individual whistleblowers. Congress did not impose the whistleblower award provisions in the Dodd-Frank Act on the Commission. The Commission asked for those provisions, because it believes that many companies are not adequately policed by themselves or their auditors or attorneys, and will not willingly self-report possible violations of the federal securities laws.
This concern exists despite a legal provision (Section 10A of the Securities Exchange Act of 1934) that can require reporting out to the SEC by a public company or its outside auditor about securities law violations discovered during an audit, and another provision (the Part 205 professional standards) that allows an attorney to report to the SEC without the consent of a public company client if the attorney reasonably believes reporting out is needed to (for example) prevent the issuer from committing a material violation likely to cause substantial financial injury to the company or investors. While the reporting requirements of Section 10A and Part 205 have not, despite predictions, led to a large number of SEC investigations, the SEC Staff remains optimistic that the financial incentives in Dodd-Frank will lead to a different result than mere compliance with professional obligations.
Another reason that promising whistleblower tips are now taken ultra-seriously by the Commission is that the SEC is still rebounding from the damage done to it by a few staffers who botched tips about Bernie Madoff and Allen Stanford. As a result, the staff is searching for opportunities to shower money in large quantities on individuals who bring in particularly productive evidence. This has been the case since 2010, when the SEC’s whistleblower award program went into effect with the passage of Dodd-Frank. Thus far, however, only one tipper has received a whistleblower award from the SEC, and the amount of the award was very small — just $50,000. But it often takes the SEC several years to bring a big case, so we expect the award tally to change in 2013.
There is no lack of award money. The SEC’s fund dedicated to paying whistleblower awards contains over $453 million. “That money is burning a hole in my pocket,” said the head of the SEC’s Office of the Whistleblower, Sean McKessy. Other senior members of the enforcement staff have hinted that it will not be long before at least one large award is paid out. At that point, more corporate employees will become aware that SEC whistleblower awards are available, and the number of tips will very likely increase from the rate as of early 2013, when the Commission was receiving on average two or three formal tips every business day related to public company disclosures and financials or possible corporate bribery of foreign officials.
The SEC’s Focus on Protecting Whistleblowers From Retaliation
Protecting whistleblowers is no less important to the SEC than paying out awards to inspire more whistleblowing. Under Dodd-Frank, employers may not discharge, demote, suspend, threaten, harass, directly or indirectly, or in any other manner discriminate against those deemed to be “whistleblowers” because of any lawful act of whistleblowing. The SEC can enforce this anti-retaliation provision by bringing cases in federal court against allegedly retaliating entities and individuals. In addition, the whistleblower can bring a private action in federal court.
“Quality information is the lifeblood of the [SEC whistleblower] program,” the SEC’s McKessy has said. “If people think if they report wrongdoing they get fired or risk other retaliation, that well will dry up quickly.” McKessy’s office is therefore looking hard for potential retaliation cases for the Commission to bring, and working with the Enforcement staff conducting investigations to routinely collect information about personnel actions taken by companies under investigation against individuals who report information to the SEC.
Persons Who Are Protected From Retaliation: Statutory Nuances
As to who is protected from retaliation, Dodd-Frank protects almost everyone who provides information about possible violations of the securities or related fraud laws, whether the person complains internally to a supervisor within the public company or externally to the federal government, and whether or not the person is eligible for a whistleblower award from the SEC. Complainants are not protected if they act unreasonably or in bad faith, but corporate managers would be wise to assume that the SEC and perhaps the courts will give complainants the benefit of the doubt on those scores.
An individual is a protected “whistleblower” if
i) the person possesses a reasonable belief that the information she/he is providing relates to a possible violation of the securities laws or certain other federal laws (including the mail fraud, wire fraud, bank fraud, and commodities fraud laws) that has occurred, is ongoing, or is about to occur, and
ii) the person reports that information in a manner described in the Dodd-Frank anti-retaliation provision, which includes
- a. providing information to the Commission in accordance with that provision;
- b. initiating, testifying in, or assisting in any investigation or judicial or administrative action of the Commission based upon or related to such information; or
- c. making disclosures required or protected under the Sarbanes-Oxley Act or any law, rule, or regulation subject to the jurisdiction of the Commission.
According to the SEC, “reasonable belief” means the employee believes that the information demonstrates a possible violation and that the belief is one that a similarly situated employee might reasonably possess. Thus, in theory, a company will not anger the SEC if it disciplines an employee for frivolously or maliciously making complaints. In practice, however, the SEC enforcement staff tends to be skeptical when a public company claims that a would-be whistleblower has acted frivolously or in bad faith.
Interplay Between the Dodd-Frank and SOX Anti-retaliation Provisions
The reference to the Sarbanes-Oxley Act (SOX) in (c) above means that Dodd-Frank anti-retaliation protection applies more broadly to employees of public companies (and employees of subsidiaries whose financial information is included in the consolidated financial statements of public companies). Those not so employed are not covered by SOX and are not protected from retaliation under SOX or Dodd-Frank if they merely report their concerns internally. Those so employed are covered by SOX and are generally protected under both SOX and Dodd-Frank even if they only report internally, so long as they report to a person with supervisory authority over them or report to a person working for the employer who has authority to investigate, discover, or terminate misconduct. In addition, SOX and Dodd-Frank protect such employees if they report to any federal regulatory or law enforcement agency (not just the SEC) or to any member of Congress or committee of Congress.
Thus the important point for public companies to remember is that even if an employee never goes to the SEC and only reports internally, if the employee has provided information about a possible violation of the securities laws or certain other federal antifraud laws, the employer should not take any action, directly or indirectly, that could be construed as discriminating against that employee, unless the employer is prepared to prove that, in making the internal disclosure, the whistleblower was acting frivolously or in bad faith.
We have been discussing how SOX broadens the reach of Dodd-Frank’s whistleblower protections. Dodd-Frank in turn enhances the whistleblower protections and remedies found in SOX. Under SOX, complainants cannot get to federal court until they exhaust their administrative remedies. Specifically, SOX requires an employee to file a complaint with the Occupational Safety and Health Administration (OSHA), an agency within the US Department of Labor (DOL), not later than 180 days after the alleged retaliation. Dodd-Frank, by contrast, permits an employee to proceed directly to federal district court without exhausting administrative remedies, and the employee has six years from the date of the alleged retaliation or three years from the date of the discovery of the alleged retaliation (the later date controls) to file suit, so long as the suit is not filed more than 10 years after the alleged retaliation. Also, Dodd-Frank offers twice as much back-pay as SOX.
Defendants in several Dodd-Frank retaliation cases filed by putative whistleblowers have fought against the conclusion that the SOX reference in Dodd-Frank broadens the reach of Dodd-Frank’s whistleblower protections and remedies. These defendants have focused on an apparent inconsistency in the language of Dodd-Frank. Dodd-Frank defines a “whistleblower” as “any individual who provides, or 2 or more individuals acting jointly who provide, information relating to a violation of the securities laws to the Commission, in a manner established, by rule or regulation, by the Commission.” Its anti-retaliation section, however, provides that “No employer may discharge, demote, suspend, threaten, harass, directly or indirectly, or in any other manner discriminate against, a whistleblower … because of any lawful act done by the whistleblower … in making disclosures that are required or protected under the Sarbanes-Oxley Act of 2002.” In other words, Dodd-Frank says that to be a “whistleblower,” one must provide information to the SEC, but for anti-retaliation purposes Dodd-Frank extends to a “whistleblower” who makes disclosures protected under SOX, including disclosures not made to the SEC.
The SEC’s solution to the apparent inconsistency is found in SEC Rule 21F-2, which was adopted with the other implementing rules for the SEC whistleblower program in May 2011. That rule in paragraph (a) repeats Dodd-Frank’s narrow definition of “whistleblower,” but in paragraph (b) provides a more expansive definition of whistleblower that applies “[f]or purposes of the anti-retaliation protections.” Even before the SEC adopted this rule, all of the few courts faced with this issue rejected the argument that Dodd-Frank’s narrow definition of whistleblower prevails over the expansive anti-retaliation language. As a result, all whistleblowers who report possible violations of the federal securities law internally at their public companies or externally to the government now have two venues for pursuing retaliation claims: they can bring a civil action in federal district court under Dodd-Frank, or file an administrative complaint with OSHA under SOX.
Where Corporate Complainants Still Report First: Internally
The SEC rejected the pleas of the business community to make internal reporting a condition of receiving a whistleblower award, so companies have continued to worry that employees will go straight to the SEC seeking monetary awards. But according to the SEC a significant majority of those who bring tips to the SEC Office of the Whistleblower say they first tried to report to someone internally.
It is not clear how many employees of public companies and financial institutions are even aware that there is an SEC program that pays awards to whistleblowers. No doubt some corporate managers will choose not to inform their employees of the internal reporting incentives, because doing so necessarily entails informing them about the awards program too. But as the awards program becomes more widely known, the balance between the benefits of educating employees about internal reporting incentives and the potential costs of letting them know that SEC whistleblower awards are available is likely to change in favor of educating employees. In addition, companies that periodically educate employees about the SEC whistleblower awards program could find that fact helpful in persuading the SEC that they have a strong culture of compliance, should they ever wish to do so.
For those who wish to inform employees of the internal reporting incentives, here they are: First, the amount of the award may be increased if the whistleblower has “participated in internal compliance systems.” Second, when a whistleblower reports original information internally before or at the same time he or she reports to the Commission, and the employer provides the Commission with information that leads to a successful enforcement action — which can include information that goes beyond the whistleblower’s information, such as information learned in an internal investigation — the whistleblower will receive full credit for the information provided by the employer as if the whistleblower had provided the information to the SEC. Supporting the second incentive is the SEC rule that protects the whistleblower’s place in the awards line for 120 days after reporting internally. This means that if, during the 120 days after a whistleblower has reported internally, another whistleblower makes a submission to the SEC that causes the staff to investigate the matter, the initial whistleblower who reported internally will be considered first in line for an award. During the 120-day period, the company might investigate the initial internal report, add to the amount of evidence, and report the evidence to the SEC, all to the initial whistleblower’s potential financial benefit.
It seems likely to us that once the SEC has paid a very large award or two, many more employees will become aware of the awards program. We think it much less likely that those employees will also learn about the incentives and protections for internal reporting. As a result, after the SEC awards program gets into full gear, the amount of internal reporting could decline while direct reporting to the SEC increases. This effect should be dampened if companies educate their employees about the internal reporting incentives, as we have discussed above.
Personnel Actions, Prohibited and Not
Dodd-Frank’s anti-retaliation provision prohibits adverse employment actions that are taken “because of” any lawful act by the whistleblower to provide information. Adverse employment actions taken for other reasons are not prohibited. The SEC has noted that there is a well-established legal framework for making this “because of” determination on a case-by-case basis: The employee must first make a prima facie case of retaliation — that is, that he or she engaged in protected activity and has suffered an adverse employment action, and that the action was causally connected to the protected activity. The burden then shifts to the employer to articulate a legitimate, non-retaliatory reason for its employment decision. After that, the burden shifts back to the employee to show that the proffered legitimate reason is in fact a pretext and that the job action was the result of the defendant’s retaliatory animus.
The SEC discourages companies from attempting to get employees to waive or limit their anti-retaliation rights. In the SEC’s view, because the Dodd-Frank anti-retaliation provision is codified in the Exchange Act, it is covered by Section 29(a) of the Exchange Act, which provides that “[a]ny condition, stipulation, or provision binding any person to waive compliance with any provision of this title or any rule or regulation thereunder . . . shall be void.” The SEC has also suggested that the very attempt to secure a waiver or limitation might be construed by a court as supporting a retaliation claim.
In addition, the SEC rules provide that no person may take any action to impede a whistleblower from communicating directly with the Commission about a possible securities law violation, including by enforcing or threatening to enforce a confidentiality agreement.
Suggestions Regarding Complainants Who Could Be of Interest to the SEC
- Before making adverse personnel decisions, assess the risk that the adverse action would be considered retaliatory. Consider seeking advice from expert outside counsel before you act.
- Avoid unnecessary non-privileged oral and written communications relating to complainants.
- Ensure that the allegations are investigated promptly by persons with sufficient objectivity and expertise, unless it would be clear to a neutral arbiter that the allegations do not warrant investigation.
- Realize that while you might think the government will entirely discount the complainant’s allegations when the complainant has “issues,” the government will focus on the information provided by the complainant.
- Be prepared to demonstrate to the government that your company has the proper “tone at the top,” including a compliance and ethics program that is tailored to the company’s risks, applied in good faith, and effective.
- Do you have anonymous hotlines (in countries where legally permitted, such as the US)?
- Do you make clear to employees and third parties that there is a mechanism for reporting suspected or actual misconduct confidentially and without fear of retaliation?
- Do you have in place a process for investigating allegations and documenting the company’s response, including any disciplinary or remediation measures taken?
- Do you review and update your code of conduct periodically, and is it available in all necessary languages?
- Does your company provide sufficient compliance training?
- Does your company provide incentives for employees and managers related to ethics and compliance?
- Have you considered the potential benefits of periodically informing employees of the SEC whistleblower awards program and the incentives it provides for internal reporting?
- Do not take prohibited actions or actions that will cause the SEC to assume that you have the wrong attitude.
- Have you taken any action to impede a whistleblower from communicating directly with the Commission about a possible securities law violation, including by enforcing or threatening to enforce a confidentiality agreement? Such actions are prohibited by SEC rule.
- Does your code of conduct expressly require employees to report internally before reporting to US regulators?
- Have you asked or required employees to waive or limit their Dodd-Frank anti-retaliation rights?